Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Secure Password Policy?

from [Petr . Kazil] Network Security [Permanent Link]
Subject: RE: Secure Password Policy?
Date: Sun, 22 Jan 2006 11:36:30 +0100 
Rainbow tables make password up to around 8 characters easy to crack, if 

the

attacker has the time to pre-compute the tabes. Making rainbow tables 

beyond

8 is long term planning, and somewhat disk intensive for script-kiddy 

level

attacks.


It is instructive to look at this site:
http://www.loginrecovery.com/

I've used this website as an example in a class I gave, and I exchanged a 
few e-mails with the owners of this site. They were very friendly and 
explained that they used huge rainbow tables and that they could easily 
crack passwords even longer than 14 characters.
I sent in a few test passwords of mine (very simple ones) and they were 
all cracked in a minute. This was a sobering experience :-)

There may be more service providers like that, but this was the first one 
I found. If you're in deep trouble, then paying 10 GBP for your forgotten 
admin password is a good deal.

At our clients I try to defend the current Microsoft policy because IMHO 
it's quite safe and reduces the load on the helpdesk:

Length: 8 chars or more
Complexity: enabled
Change: every 90-120 days
Lockout: after 50 (!) attempts - not 5 or 3 like we used to advise

The philosophy is that a lockout is only necessary if someone uses an 
automated password guessing tool. The chance of guessing even a simple 
password like "Banana01" (seen "in the wild") in 50 guesses is slight. And 
having 50 tries once saved the day for me, after I changed my password 
late at night and didn't know it anymore in the morning :-)

Greetings, Petr Kazil

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Tool to make mitm on ssh2, Aaron
Next by Date:  Re: "Ping scan" through Google, pagvac
Previous by Thread:  RE: Secure Password Policy?, Lyal Collins
Next by Thread:  Re: Secure Password Policy?, List Spam
Indexes:  [Date] [Thread] [Top] [All Lists]