[2667] in bugtraq
Re: Not so much a bug as a warning of new brute force attack
daemon@ATHENA.MIT.EDU (Brett L. Hawn)
Mon Jun 3 21:10:14 1996
Date: Mon, 3 Jun 1996 14:49:03 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Brett L. Hawn" <blh@nol.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199606031637.MAA08888@wabakimi.carleton.ca>
On Mon, 3 Jun 1996, Aaron Merifield wrote:
> Why not just change the system so that it wont accept a dictionary name as
> a valid password. Six to eight characters and at least 1 or 2 numbers
> would make it a little more difficult too.
> The main way to crack password files seems to involve using dictionary
> files (that you can easily get from the net) and using brute force to
> compare the encrypted dictionary words to the encrypted passwords.
> Therefore just dont allow dictionary words as passwords. Although the
> number you can still make your own dictionary files of random characters,
> the percentage of people that would even bother drops big time, IMO.
You can lead a user to a good password but you can only make them use it for
so long. Not to mention anyone with the time and desire can create a fairly
nifty 'dictfile' like I did a few years back. All it takes is some simple
brain power and a LOT of disk space, a quick file that prints all variations
of 5-8 charater length combinations to a file. I stopped mine at 238megs and
it was still going strong.
Brett
