[ncolug] Re: TALUG: in case you thought you had a clever password

• From: "Mr. Knisely" <mrknisely@xxxxxxxxxxxxxxxxxxxxxxx>
• To: talug@xxxxxxxxx, ncolug@xxxxxxxxxxxxx
• Date: Sun, 26 Feb 2006 12:33:21 -0500

Jason Bechtel wrote:

<-------- TALUG Info: http://www.talug.org -------->

http://www.securityfocus.com/columnists/388

Federico Biancuzzi interviews Solar Designer, creator of the popular
John the Ripper password cracker.  Solar Designer discusses what's new
in version 1.7, the advantages of popular cryptographic hashes, the
relative speed at which many passwords can now be cracked, and how one
can choose strong passphrases (forget passwords) that are harder to
break.

"With some vendors re-inventing password hashing and doing it wrongly
(or trying to be compatible with something ancient), and with
increasing CPU performance, it is not possible to have passwords that
are stored using certain hash types withstand offline attacks, even if
the most stringent password policy is followed."

"The entire printable US-ASCII keyspace (that is, all possible
passwords consisting of the 95 printable US-ASCII characters only) can
be searched against any number of LM hashes within a couple of weeks
on a single modern CPU, and most passwords would fall within the first
hour."

"Some older papers on password security recommended picking the first
letter of each word of a phrase to form short and easy to remember,
yet unusual passwords. Unfortunately, this results in a highly
non-uniform distribution of characters used - which John is able to
take advantage of. So I do not recommend it."

"There exist password generator programs which would produce both
random passphrases and random mixes of weird characters for use as
short passwords. Unfortunately, many if not most of them do not use
cryptographically secure sources of randomness and/or have other
weaknesses...  Although the passwords look like they are strong (weird
mixes of characters), there can only be a few million of them, so John
can check them all quickly (for some hash types, in a matter of
seconds)."

But if you make it all the way to page 3, there's a silver lining:

"In practice, you can expect almost no passwords to be cracked with
John the Ripper on systems which use bcrypt for password hashing and
have pam_passwdqc installed (with default settings).  Of course,
Openwall GNU/*/Linux uses bcrypt and pam_passwdqc for users' passwords
by default."

_______________________________________________
talug mailing list
talug@xxxxxxxxx
http://bridge.uniqsys.com/mailman/listinfo/talug

LM hashed passwords should have been dead a long time ago. If you are still on an MS system that caches and, why they do this I'll never know, sends the password automaticall whenever asked for authentication by anythign on the LAN, you need to drop that product now. You can also research the registry key to stop Windows from caching LM hashes.

As a technology society, we are always trying to balance the need for security with the "ease of use" factor. Authentication and authorization should never be one in the same; it is assumed that it just too much to have a user remember something for both. I got it! Lets take the users's last name and a first initial and use that as the person's username. Nobody will ever guess that. Next, lets let them use their spous's name as their super secret password! That'll work GREAT!

What kind of morons are we? Why would we let users do this? The answer to that is we are morons that want to be employed. I've fought the good fight, but when I cant convince my boss to use a SecureID system, what's the use? If management doesn't see the need the users will never let go of the stupid passwords of yesteryear.

So, I pose the question... how is this fixed? My current bet is on biometrics. A retinal scanner will be the password of this next century and it's foolproof. Well, except when the world builds the better fool and they guy with a detachable head leaves it at home.

One last thing.... physical access is everything. No matter how secure your password, if they have physical access to your box, they've got your data. (Yes, dada encryption... blah... blah... blah..) Your data is only as safe as the box on which it resides. If they can't get to your data, they can still keep you from getting to it.

Mike K.

To unsubscribe send to ncolug-request@xxxxxxxxxxxxx with 'unsubscribe' in the 
Subject field.

• Follow-Ups:
  • [ncolug] Re: TALUG: in case you thought you had a clever password
    • From: larry
  • [ncolug] Re: TALUG: in case you thought you had a clever password
    • From: nor thern

Other related posts:

• » [ncolug] Re: TALUG: in case you thought you had a clever password
• » [ncolug] Re: TALUG: in case you thought you had a clever password
• » [ncolug] Re: TALUG: in case you thought you had a clever password
• » [ncolug] Re: TALUG: in case you thought you had a clever password
• » [ncolug] Re: TALUG: in case you thought you had a clever password

1. Home
2. ncolug
3. Archive
4. 02-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---