Re: Password Cracking
From: Ernst-Udo Wallenborn (ernst-udo.wallenborn@freenet.de)
Date: 01/24/03
- Next message: Lohkee: "Re: Password Cracking"
- Previous message: Ernst-Udo Wallenborn: "Re: Password Cracking"
- In reply to: Fireglyph: "Re: Password Cracking"
- Next in thread: Fireglyph: "Re: Password Cracking"
- Reply: Fireglyph: "Re: Password Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Ernst-Udo Wallenborn <ernst-udo.wallenborn@freenet.de> Date: 24 Jan 2003 23:15:53 +0100
Fireglyph <fireglyph@gmx.net> writes:
> I think Ernst-Udo Wallen has overlooked the problem that once there
> is a password generation scheme, which changes the entropy of course,
> and the hacker knows about that entropy, he doesn't need to try some
> words at all. That is, if he finds out about the password generation
> policy, he can safely assume that some words have Prob=0.
Depends on the generation scheme. If passwords are generated by a
decent (pseudo) random number generator, then the attacker would
have to know the 50-odd bits that described the state of the computer
(most prngs use hashes of network interface, process information
etc., which usually amount to about 50 bits per second) when
the password was generated, which usually was some time ago.
But of course, if your generation scheme is "first three letters
of family name, followed by first three digits of phone number"
then you have good-looking passwords with an entropy of 0.
> The problem you're pointing us to is that once there is *any*
> scheme (bias) involved in our distribution, security depends on keeping
> the generation scheme secret. That is security by obscurity and that
> is always bad.
Right.
> Can we do better? Yes, we can.
> There is *one* "scheme" which is superior to all others, because only
> words are generated which are equally "strong". I already mentioned it:
> the best way to create secure passwords is to generate them truly
> randomly, using the whole keyspace (that is, without any bias = scheme).
> Since it is likely that hackers will still try dictionary attacks, we
> could reject passwords from dictionaries and those from the known
> password generation scheme you mentioned. As long as the keyspace is
> big enough and the rest of the words is generated truly randomly,
> this wouldn't make a big difference.
Thats why i always recommend to make (pseudo) random password generators
easily accessible to your users and check with LC4, john the ripper etc.
periodically that they don't use dictionary words.
-- Ernst-Udo Wallenborn
- Next message: Lohkee: "Re: Password Cracking"
- Previous message: Ernst-Udo Wallenborn: "Re: Password Cracking"
- In reply to: Fireglyph: "Re: Password Cracking"
- Next in thread: Fireglyph: "Re: Password Cracking"
- Reply: Fireglyph: "Re: Password Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
