Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] crack



B0Ti wrote:
> YAMAGATA Hiroo wrote:
> 
> 
>>>There is a really low chance that passwords in a company will get cracked
>>>by brute force.
>>
>>Brute-Force, no. Weak password checking is not for avoiding brute force.

Dictionary attacks are used to try to crack passwords, not brute force,
in most cases. If *I* wanted to crack your password, I would have a
better chance using a dictionary-based password cracker, unless you use
a very good password.

Using a cracker to detect weak passwords is SOP for any sysadmin worth
his/her salt, IMO.

> Most password cracking software uses dictionary attack then brute force. This is
> what I meant. Sorry about the confusion.

So you meant that dictionary-based cracking of your users passwords is
pointless? I disagree, as noted above.

>>Someone using their initials or your extension number, or your favorite
>>band, or one of those easy to guess stuff, that happens all the time.
> 
> 
> But there are at least a few words to check. You must be really lucky to get in
> with the first guess.
> Otherwise heaps of messages like the one below start coming from syslog, and
> that's rather obvious.
> Jul 23 17:18:34 machine123 PAM_unix[1839]: authentication failure; user(uid=1501)
> -> root for su service

I would say that if you can guess in under four tries, you will escape
detection. Hell, I even mistype my own password sometimes. If I see
something like the above in my logs twice, then a successful login, I
just assume a mistype and go on about my business. In a perfect world, I
would follow up on *every* failed authentication, but that would just
annoy my users more than I care to do.

I have guessed other people's passwords sucessfully within three tries
on more than one occasion. It is not hard, granted that you know enough
about them (and if they are a co-worker in a small company, you should
know enough) and they are not prone to choosing good passwords. Windows
does not enforce good passwords by default, so you cannot even rely on
passwd-style idiocy checks.

The moral of this story? Crack your password files. Assume that your
users know less about security than you do.


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links