Re: password cracking question

From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 07/18/05


Date: 18 Jul 2005 17:53:58 GMT

Proteus <nospam@nowhere.net> writes:

>Unruh wrote:
>..
>> He might have found a backup tape lying around for example. He might have
>> booted into the machine in single user and gotten the file.
>> One of the reasons that Linux went over to shadow passwords was that
>> programs like yours were becoming popular.

>So for my purposes, the main (good) use of a password cracking program is to
>test whether my users' (and mine, ie root) passwords are strong, right?
>(that is my intended purpose). And how long do I let the password cracking
>program run before I assume my passwords are strong-- I mean one could in
>theory let the cracking program run for days or weeks. When is enough
>enough, when is a password considered strong enough (and how do I know if a
>password I create is strong enough to thwart crackers?)?

The program, AFAIK will finally quit.
However, for root or for yourself you should KNOW if your password is good
enough. It is silly to use the cracker program to test a password you know.

You can look up to see what the algorithm that the cracker uses. It is
primarily dictionary based. Ie it checks if the word is in a dictionary,
etc. In theory the cryptlib module in pam which checks the passwords when
you enter them should use the same type of program that the cracker does to
check the password when entered. Unfortunately Alex Muffet's idea of what
is a weak password and mine differ.