Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ADS Password Storage Protection

from [Stephen John Smoogen] Network Security [Permanent Link]
Subject: Re: ADS Password Storage Protection
Date: Wed, 19 Jul 2006 10:41:16 -0600
On 7/18/06, Depp, Dennis M. <deppdm@ornl.gov> wrote: 
Do you audit for attempts using brute force to guess passwords?  What
you are describing is a brute force password attempt using well known
pass phrases.  A better pass phase might be something personal like.  "I
have three children and a beautiful wife who stands 5' 7"."  This will
be difficult to guess and will not be found in Bartlett's Book of
Quotations.


in the end, it comes down to what you are trying to protect and how
much you are going to protect it. Having done a lot of brute-force
password checking with phrases and such.. it was pretty quick (I think
about 48 hours) to find "The Cat in the Hat is Back" through a long
list of various phrases and words.  However all it took was to
misspell Hat as Hta and it was functionally longer than I wanted to
wait for the secondary dictionary attacks (misspellings, changing
e->3, etc) could find it.

I would say that having a phrase+complexity test is a good advice. The
complexity test can be the addition of numbers, special characters etc
that are not at the beginning and end of the phrase and there are
several 'modules' prewritten for many password programs to test for
this.

However, my main advice is for a site that is looking for better
security to use a one time passwords, lockouts, and end-to-end
authentication. A one time password system usually requires some sort
of 'two-factor' device (secureid, cryptocard, etc) and helps make it
that the password is not guessable.


--
Stephen J Smoogen.
CSIRT/Linux System Administrator

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Security Awareness, gmx
Next by Date:  RE: ADS Password Storage Protection, Robertson, Seth (JSC-IM)
Previous by Thread:  RE: ADS Password Storage Protection, Depp, Dennis M.
Next by Thread:  RE: ADS Password Storage Protection, Roger A. Grimes
Indexes:  [Date] [Thread] [Top] [All Lists]