Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] crack
- Date: Tue, 23 Jul 2002 09:45:46 -0400
- From: Josh Glover <jmglov@example.com>
- Subject: Re: [tlug] crack
- References: <Pine.SUN.3.95.1020723153251.4842C-100000@example.com> <20020723163224.76d94e64.9915104t@example.com> <20020723165414.3307.HIYORI13@example.com> <3D3D132A.CAC4ED94@example.com>
- Organization: INCOGEN, Inc.
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020701
B0Ti wrote: > YAMAGATA Hiroo wrote: > > >>>There is a really low chance that passwords in a company will get cracked >>>by brute force. >> >>Brute-Force, no. Weak password checking is not for avoiding brute force. Dictionary attacks are used to try to crack passwords, not brute force, in most cases. If *I* wanted to crack your password, I would have a better chance using a dictionary-based password cracker, unless you use a very good password. Using a cracker to detect weak passwords is SOP for any sysadmin worth his/her salt, IMO. > Most password cracking software uses dictionary attack then brute force. This is > what I meant. Sorry about the confusion. So you meant that dictionary-based cracking of your users passwords is pointless? I disagree, as noted above. >>Someone using their initials or your extension number, or your favorite >>band, or one of those easy to guess stuff, that happens all the time. > > > But there are at least a few words to check. You must be really lucky to get in > with the first guess. > Otherwise heaps of messages like the one below start coming from syslog, and > that's rather obvious. > Jul 23 17:18:34 machine123 PAM_unix[1839]: authentication failure; user(uid=1501) > -> root for su service I would say that if you can guess in under four tries, you will escape detection. Hell, I even mistype my own password sometimes. If I see something like the above in my logs twice, then a successful login, I just assume a mistype and go on about my business. In a perfect world, I would follow up on *every* failed authentication, but that would just annoy my users more than I care to do. I have guessed other people's passwords sucessfully within three tries on more than one occasion. It is not hard, granted that you know enough about them (and if they are a co-worker in a small company, you should know enough) and they are not prone to choosing good passwords. Windows does not enforce good passwords by default, so you cannot even rely on passwd-style idiocy checks. The moral of this story? Crack your password files. Assume that your users know less about security than you do. -- Josh Glover <jmglov@example.com> Associate Systems Administrator INCOGEN, Inc.
- References:
- [tlug] crack
- From: Nguyen Hung Vu
- Re: [tlug] crack
- From: B0Ti
- Re: [tlug] crack
- From: YAMAGATA Hiroo
- Re: [tlug] crack
- From: B0Ti
- [tlug] crack
- Prev by Date: Re: [tlug] crack
- Next by Date: Re: [tlug] Tokyo Linux Users Group Members
- Previous by thread: Re: [tlug] crack
- Next by thread: Re: [tlug] crack
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |