[2680] in bugtraq
Re: Not so much a bug as a warning of new brute force attack
daemon@ATHENA.MIT.EDU (Shaun Lowry)
Tue Jun 4 18:57:41 1996
Date: Tue, 4 Jun 1996 10:12:13 +0100
Reply-To: Shaun Lowry <s.lowry@march.co.uk>
From: Shaun Lowry <shaunl@march.co.uk>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.SOL.3.93.960603144707.25688A-100000@dazed.nol.net> from
"Brett L. Hawn" at Jun 3, 96 02:49:03 pm
"Brett L. Hawn" <blh@nol.net> wrote:
>You can lead a user to a good password but you can only make them use it for
>so long.
Is this not desirable? The longer they keep that good password, the worse it
gets. Make them choose another good password!
>Not to mention anyone with the time and desire can create a fairly
>nifty 'dictfile' like I did a few years back. All it takes is some simple
>brain power and a LOT of disk space, a quick file that prints all variations
>of 5-8 charater length combinations to a file. I stopped mine at 238megs and
>it was still going strong.
When talking in terms of attacking a daemon across a relatively
low-bandwidth network (as we were), a dictionary attack on 238Mb of
passwords is a) going to take a long time and b) hopefully won't go
unnoticed.
Agreed, if you have the encrypted passwords locally and have plenty of
CPU time to spare, knock yourself out. If someone *really* wants to
crack a publically accessible account on your system they will, but this
implies a finely targetted attack. Most attackers will ask themselves
the question "Where can I get in easily?" rather than "How do I get in
here?"
>Brett
Shaun.
--
Shaun Lowry | March Systems Ltd., http://www.march.co.uk/
PGP Key available | 14 Brewery Court, High St.,
from key servers or | Theale, UK. RG7 5AJ
via e-mail on request | +44 1734 304224
