Re: Password complexity vs Brute Force

From: Jason Brown [MSFT] (i-brjaso_at_online.microsoft.com)
Date: 04/15/05


Date: Fri, 15 Apr 2005 12:22:18 +1000

Well, you may not be running a banking installation, but you should still
consider the actual level of damage someone could do if they breached your
passwords. For a small organisation, a relatively small amount of damage can
be significant. A big corporate could shrug off a $100,000 problem. could
your soccer club? (admittedly as far as I know, you could the the network
admin for Manchester United, in which case scale up!)

If you consider the cost of having more secure passwords (relatively low)
against the risks of leaving them as they are (relatively high, if you can
brute-force them in 2hrs), well, I know what I'd be doing.

-- 
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
"Joel Cote" <JoelCote@discussions.microsoft.com> wrote in message 
news:9F4A647E-1A39-4015-8141-8EAE921FA271@microsoft.com...
> Hi!
>
> Considering password policies that requires some complexity and all, I 
> have
> run a brute force attack on my my server.
>
> It found that password in 2h7mins. Is that too low as a measure 
> considering
> I monitor everything, having alerts on my emails and cell phones set up?
>
> Should I try to reach a higher level?
> There is no critical personal data on the server which can get me into
> trouble, I am the network manager for a soccer club, not a bank ;)
>
> What's your opinion on that?
>
> Thanks!
>
> 


Relevant Pages

  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • Re: Strange SSID in the air...
    ... the cable modem assigning Gateway+DNS to the Linksys router etc.)? ... to verify that DNS lookups actually point to the real web site. ... from overloading one server, while another remains under-utilized. ... dumb applications that are not very smart about encrypting passwords. ...
    (alt.internet.wireless)
  • Re: unified authentication
    ... > I have a number of FreeBSD machines. ... Each *class* of server or device gets a different root password (or ... root/enable passwords, and have a bit less worry about ex-employees. ... only sysadmins have logins on routers.) ...
    (FreeBSD-Security)
  • RE: Where are Local Passwords stored on Win2K
    ... This should restrict the likely hood of have access to multiple server if one is to get compromised. ... Where are Local Passwords stored on Win2K ... compromises within our network. ...
    (Security-Basics)
  • Re: Strange SSID in the air...
    ... the cable modem assigning Gateway+DNS to the Linksys router etc.)? ... to verify that DNS lookups actually point to the real web site. ... from overloading one server, while another remains under-utilized. ... dumb applications that are not very smart about encrypting passwords. ...
    (alt.internet.wireless)