Re: Password Cracking

From: Lohkee (Lohkee@worldnet.att.net)
Date: 01/21/03


From: "Lohkee" <Lohkee@worldnet.att.net>
Date: Tue, 21 Jan 2003 19:30:39 GMT


"DaveK" <DaveK@dontspamme.petitmorte.noireallydontlikethepinkstuff.net>
wrote in message news:n3bX9.119$6U3.391@newsfep4-gui.server.ntli.net...
> "Lohkee" <Lohkee@worldnet.att.net> wrote in message
> news:2PEW9.3154$zF6.273943@bgtnsc04-news.ops.worldnet.att.net...
>
> ---snip---
> >The goal, and sole justification for password cracking exercises, is to
> >reduce risk by enforcing the use of strong passwords via the
identification
> >and subsequent elimination of those that are weak.
> ---snip---
>
> Well, I would have said "The goal for password cracking exercises is to
> reduce risk by reducing the use of weak passwords through identifying as
> many of them as possible". Then I would have gone on to raise all the
good
> points that you make about security in depth, and using lockouts and all
the
> other options available to you, rather than go on about the inability of
> one single security tool to perform a task that it isn't actually meant to
> be able to do.

The problem is that cracking passwords does not reduce risk.

>
> ---snip---
> > Passwords crackers ignore these mathematical realities and instead
> > categorize a given password as "weak" or "strong" based on nothing more
> than
> > their ability to crack it. Essentially, the relative strength or
weakness
> of
> > a given password is ultimately determined by the password cracking
> software
> > and resources applied to the task thus making the definition of "strong"
> > completely arbitrary, for example: The "dictionary" attack will discover
a
> > user's password, no matter how complex, if that password happens to be
on
> > the word-list used for the attack. Conversely, even the weakest password
> > will remain a secret if it is not. This "definition" of strength is
> > completely irrational and thus surrenders all credibility if for no
other
> > reason than it is entirely possible for a password that is considered
> "weak"
> > today to become "strong" tomorrow which, given the rapid evolution of
> > technology, is clearly utter nonsense but extremely easy to demonstrate
by
> > simply switching wordlists.
> ---snip---
>
> I think you misunderstand what password crackers are about. They *can*
> prove a password to be weak. But they cannot prove it to be strong. The
> password crackers I've seen don't make any attempt to 'categorize'
> passwords: that's a false inference that *you* have made based on *your*
> misunderstandings. They simply reveal the ones they can uncover, in the
> order in which they uncover them.

Which are by inference "weak." I would also suggest looking a some PW
cracking vendors websites, and the verbiage they use.

>
> > What conclusion should we draw if the password
> > cracker fails to uncover any (or only a few) passwords? Do we
> automatically
> > infer that users have selected "strong" passwords, or should we question
> the
> > quality of our word-list? What standard do we use to measure this? Are
> there
> > any standards?
>
> You cannot draw *any* conclusion if the password cracker fails to
uncover
> a password, you can only draw a conclusion when it succeeds.
Specifically,
> you can deduce that there is at least one setup (combinations of hardware
> power and dictionary wordlist size) under which the password is easily
> cracked. However, you cannot prove a negative so easily if it fails to
> crack the password.

Aren't you simply repeating the point made in the paper?

>
> IOW, rather than abandon the pw cracking technique altogether, we should
> merely understand its limitations; it is only one tool in the security
> arsenal, and the only thing it can do is identify *some* weak passwords
for
> you. It cannot identify all weak passwords, nor can it identify strong
> passwords.

What is the point in keeping something that will always leave you at the
point from which you started??????

>
> You also wrote...
>
> ---snip---
> The point here is that it is a given any password of eight characters or
> less can be cracked within a very reasonable amount of time. A dictionary
> attack might do it in nine minutes but is unpredictable. A brute force
> attack might take nine days but is completely predictable.
> ---snip---
>
> You just made those figures up, didn't you? Have you ever tried to run
a
> *real* brute force search to completion? Here, let me give you some
*REAL*
> numbers rather than guesses you just pulled out of thin air:
>
> JtR running on a 1 Ghz athlon based machine cracking ntlm passwords
achieves
> about 880,000 keys tested per second.
>
> An 8-char password based on upper/lower case characters, numerics, and
> symbols (let's say 95 possible chars, as you have in your other post)
>
> 95^8 = 6634204312890625
>
> 6634204312890625 / 880000 = 7538868537
>
> 7538868537 / (60 * 60 * 24) = 87255.4
>
> That's NOT nine days, that's ninety thousand days. That's five orders of
> magnitude away from nine days. You have overexaggerated the ease of a
brute
> force attack by a factor of roughly a hundred thousand. If you have to
use
> such faked statistics to make your case, I say you haven't made it.

I have exaggerated nothing. In fact, I may have *understated* the case.
You statements are driven by your equipment and *very* limited view of the
world. Before making such claims it would be wise to think about the
possibilities. You might do a search on DESCHALL and see what they were able
to accomplish using much older equipment years ago. Also, I would suspect a
1Ghz Athlon pales in comaprison to a system with multiple processors,
particularly one that is running an operating system that does not eat up
most of the system resources. Just a guess though.

Lohkee!

>
>
> DaveK
> --
> moderator of
> alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
> Burn your ID card! http://www.optional-identity.org.uk/
> Help support the campaign, copy this into your .sig!
> Proud Member of the Exclusive "I have been plonked by Davee because he
> thinks I'm interesting" List Member #<insert number here>
> Master of Many Meowing Minions
> Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage
above
> and beyond the call of hilarity.
> PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7
D2BD
>
>
>
>
>