Re: Choosing secure passwords - Feedback solicited

From: Lohkee (lohkee@worldnet.att.net)
Date: 04/07/02 

From: "Lohkee" <lohkee@worldnet.att.net>
Date: Sun, 07 Apr 2002 20:01:51 GMT

"Franz Hoffmann" <FranzHoffmann@web.de> wrote in message
news:8MMgVgZkNBB@blubb.dialin.t-online.de...
> Lohkee schrieb:
>
> > Unfortunately, passwords that follow these commonly prescribed rules
> > are only "strong" in an absurd fantasy world where the only possible
> > method of cracking passwords is by a dictionary attack. In a world
> > where more than one method exists for the cracking of passwords, you
> > may want to consider the following: If you compare any two passwords
> > of equal length you will find, in many cases, that selecting what
> > security professionals insist would be a very strong password, as
> > opposed to randomly choosing a word that might be found in any
> > dictionary, will actually result in choosing a password that is
> > provably much easier to crack! A brute force attack, for example,
> > will discover the password "#4a!F%H2" long before it will ever find
> > the password "zucchini" because the ASCII representation for each
> > character is numerically lower.
>
> Would you agree that, on all existing computers, the password "zucchini"
> is much more widely used than "#4a!F%H2"? Therefor, to crack the
> passwords of a computer, I would try zucchini first. Using your
> 500.000.000 keys/second cracking machine, it would take only a few
> seconds to check a really huge dictionary including all kinds of
> variations like upper- and lower case, etc.
>
> Of course, zucchini may not be in that dictionary.
>
> So you would probably continue with brute force. The cracking program
> might ask you which kinds of characters to use:
>
> 1) Lower case only (26 chars) 7:23 Minutes
> 2) Upper and lower case (54 chars) 41 Hours
> 3) All kinds (95 chars) 155 Days
>
> Being optimistic, I would of course try 1) first. :-)
> And that's why passwords *should* contain upper- and lowercase, numbers
> and eventually punctuation. You are technically right that those rules
> do reduce the number of possible passwords significantly and might lower
> the time needed for a brute force attack from 155 to 53 days. But since
> you can crack the "weak" passwords (like zucchini) in no time at all,
> that does not really matter.
> --

And that was my point. A **reccomendation** for a mix of characters is a
good thing; a **rule** (unless carefully constructed) to enforce a mix of
characters is a bad thing!

Relevant Pages

  • Re: Windows XP / 2K3 Default Users
    ... "routine" cracking SAM's, it really makes we wonder who the client-base is. ... That's what I was on about- while I think rainbow tables are neat, ... still have LM hashes enabled and usually some relatively weak passwords. ...
    (Pen-Test)
  • RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
    ... zip passwords are weak and easily broken anyway.) ... Though cracking is not, I believe, how it is done. ... I'd be very surprised if the "detection" of Bagle encrypted .ZIPs ... little from it at the moment other than that attention... ...
    (Full-Disclosure)
  • Re: expired passwords
    ... Expiring passwords is a security flaw in itself. ... It's not like in the movies, where you can work on cracking a password, ... the cracker doesn't know if yesterday's failed attempts ...
    (Fedora)
  • Re: Choosing secure passwords - Feedback solicited
    ... passwords that follow these commonly prescribed rules ... > method of cracking passwords is by a dictionary attack. ... Would you agree that, on all existing computers, the password "zucchini" ...
    (comp.security.misc)
  • SUMMARY: Forcing Stronger Passwords
    ... of passwords and forcing people whose passwords are ... downloaded the pam_passwdqc PAM module, ... other than password cracking and open-source wrappers. ... Many thanks in advance -- will summarize as this has ...
    (SunManagers)