Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Password Cracking

from [Andrew Shore] Network Security [Permanent Link]
Subject: RE: Password Cracking
Date: Mon, 13 Sep 2004 15:50:16 +0100 
I think one issue that is being over looked here is the networks weakest point, 
the users.

I have worked for many large (in terms of user base) companies and the biggest 
problem is to first explain how to create a complex password and the second is 
to get them to remember it.

When ever I have tried to get strong passwords into an organisation the first 
problem is the huge increase in users calling the helpdesk because they've 
forgotten the password, with all the identification issues that generates. Then 
there is the scrap of paper under the keyboard because the new passwords are 
"too hard"

If you work in a very secure environment you have to use some form of strong 
authentication, probably a two factor solution, but this can not be rolled out 
for the masses (cost!)

So a line has to be drawn. I don't have the answer but I know from bitter 
experience the costs of tying down general user passwords too far.

Just my 2 cents

Andy 

-----Original Message-----
From: Über GuidoZ [mailto:uberguidoz@gmail.com] 
Sent: 11 September 2004 19:30
To: Teo Gomez
Cc: Andrew Shore; Simon Zuckerbraun; security-basics@securityfocus.com
Subject: Re: Password Cracking

While it's true that "October10,1977" is a strong password by most
rules, I'd beg to differ that it is a good password. Due to the ease
of social engineering, it may not be. I, for one, will test common
dates (birthdays, anniversaries, etc) in all forms first, when looking
for a password. (All forms means backwards, forwards, short hand, long
hand, etc). Most people use these as passwords since they are easy to
remember. The next step when using "trial-and-error" method is names
of those close to them (family, loved ones, pets, etc). You may be
surprised how easy it is simply guess a password when you try.

If you would like to use something easy to remember, try at least
swapping something around, but not in a usual way. Like make it
"Rctobeo" (swapped the O and R) or "7197" (instead of 1977)...
something to that effect. I usually don't try those types of swaps
until I use a brute force method. On a side note, while it's better
then nothing, and adding a "1" to a name isn't a way to secure it
either. =P I will try that 3rd.


On Fri, 10 Sep 2004 14:23:17 -0400, Teo Gomez <tgomez@ubiquitelpcs.com> wrote:

Even enforcing complex passwords does not guarantee that passwords be
'strong.'  For example, October20,1977 is my birthday, and is a strong
password.  Try and get users to use pass phrases instead of passwords.
For example, My cat's hair is blue, is a complex pass phrase.

Teo

-----Original Message-----
From: Andrew Shore [mailto:andrew.shore@holistecs.com]
Sent: Wednesday, September 08, 2004 4:37 AM
To: Simon Zuckerbraun; security-basics@securityfocus.com
Subject: RE: Password Cracking

Depending up on the servers strong passwords can be enforced.

NT4 SP4 and Win2k AD support this as do most Linux distributions.

That way you don't need to check the passwords.

-----Original Message-----
From: Simon Zuckerbraun [mailto:szucker@sst-pr-1.com]
Sent: 05 September 2004 04:05
To: security-basics@securityfocus.com
Subject: RE: Password Cracking

If I understand correctly, LC is capable of doing what you're asking.

Simon

-----Original Message-----
From: Eoin Fleming [mailto:rtfm@o2.ie]
Sent: Friday, August 27, 2004 4:44 PM
To: security-basics@securityfocus.com
Subject: Password Cracking

Bit of an unusual one -

Lets imagine you are a security administrator at a company - strong
passwords are enforced but you suspect that there may be exceptions and
you want to raise management awareness of breaches of the password
policy BUT you can't run cracking software as then you will know
individuals passwords - which you don't want to know as this breaks
acountability rather nicely.

In short - is there software that can perform the function of LC and
John without giving the admin the password but rather rate the password
against against a set criteria?




---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Unknown Windows Service suspected Worm/Virus, Ansgar -59cobalt- Wiechers
Next by Date:  Re: Final Words on "Educating RDNS violators" - Debunking the Myth's [?? Probable Spam], Hexis
Previous by Thread:  Re: Password Cracking, Miles Stevenson
Next by Thread:  RE: Password Cracking, Jonathan Loh
Indexes:  [Date] [Thread] [Top] [All Lists]