[2705] in bugtraq
Re: Not so much a bug as a warning of new brute force attack
daemon@ATHENA.MIT.EDU (Paul D. Robertson)
Sun Jun 9 14:02:15 1996
Date: Sun, 9 Jun 1996 09:58:58 -0700
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Paul D. Robertson" <probert@AZStarNet.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.NEB.3.92.960609005028.19613C-100000@zap.io.org>
On Sun, 9 Jun 1996, Brian Tao wrote:
> We did just that a few months ago after running through our
> /etc/master.passwd and cracking some 1800 accounts in total. All
> accounts were expired at once and a replacement /usr/bin/passwd linked
> with CrackLib was installed. The extra time needed to do a thorough
> check of a newly supplied password against a large dictionary and the
> Crack ruleset is negligible, but it decreases the guessability of new
> passwords to nearly zero.
Unless you have users who _always_ do xxxNNxx or some other scheme which
they tend to do, in which case, the space for a brute force attack is
significantly narrowed to make it worth-while, esp. if rlogin or some
other unwrappered service that doesn't log attempts is available on the
machine. Adding minimum number of digits, and non-repeats makes things
better, but you still should provide users with good guidance when
choosing passwords. I've seen admins who were proud of themselves for
using letters and digits in their passwords, who had a different password
on every machine, but always used three lower-case letters, two digits,
and three lower-case letters. Knowing the server didn't allow repeats,
that's no where near as secure from a brute force attack as some
dictionary words.
>
> Another good trick, if your OS supports it, is to use an alternate
> hash method and long passwords. Our servers run FreeBSD. It has the
> option of using either DES or MD5 encryption. The public servers use
> DES for compatibility, but internal machines have the default MD5 libs
> installed. I would suspect that your average hacker wouldn't know
> what to do if he found "$1$rEU5lGMq$x5g.f98lqkUfQ8rn89foQl" in the
> encrypted password field.
>
Yeah, but if it becomes popular, there's not much stopping one of them
with a clue from adding an MD5/rsalib call right after the crypt() in
crack, et al.
> Long passwords are not only exponentially more difficult to guess
> than short ones, they can ironically be easier to remember. For
> example, "In London, April is a spring month." is a perfectly good
> password and not subject to truncation (FreeBSD's _PASSWORD_LEN is
> 128). Toss in some transformations, "InLndn:AprilIsAspringMonth",
> and you have something virtually unguessable yet you don't need to
> write it down anywhere.
Definately the way to go if you can't do one-time passwords.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probert@azstarnet.com which may have no basis whatsoever in fact."
PSB#9280
