Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

re: Highlighting weak password dangers

from [Kenton Smith] Network Security [Permanent Link]
Subject: re: Highlighting weak password dangers
Date: Mon, 29 Jan 2007 15:29:13 -0800 (PST) 


----- Original Message ----



From: Henry Troup <htroup@acm.org>



To: "Barrett, Will" <wbarrett@pronetsol.com>; Kenton Smith 
<listsks@yahoo.ca>; WALI <hkhasgiwale@gmail.com>



Sent: Monday, January 29, 2007 8:56:54 AM



Subject: RE: Highlighting weak password dangers




        >> "There is no reason for using brute-force for policy compliance."



Why not?  An intruder might.  Why on earth would you think you are safe



if you are not willing or able to do the same?  


 

 


Are you sure that you're all using the same definition of "brute force"?  
The  "dictionary or hybrid" might qualify as "brute > force" to some people. 
 I tend to  reserve that term to those attacks that will in time try every 
possible password -  given > unreasonable resources.  Since a brute force 
attack on length 8 is actually  feasible today, you need to set an 
appropriate minimum length.  But otherwise  "brute force" has no role in 
compliance because it always works.


 



 


That's why we call it "brute force" - it's an analogy to locked doors.  If I 
have a  standard steel outer door or solid core
interior door, there is a level of force that  will break that door or break 
door and jam out of the building structure.  I don't  > apply that force when 
checking to see if the door is locked.


 

 


regards,


 

 


Henry Troup



htroup@acm.org


 

It all depends on the reasons for doing the "audit". In my world,
auditing is done to find policy breaches and weaknesses in defense
methods. As stated; brute-force always works. It doesn't matter how
complex your passwords are, brute-force never fails. It may take a few
months or longer, but if someone uses brute force on a strong password,
they're going to break it every time. So how does this help to enforce
policy? It doesn't; because if your policy is attempting to prevent
passwords being cracked using brute force, everyone is going to have to
write down their 128 character complex passwords and change them on a
weekly basis.

On the other hand, if you are using password cracking methods to
find weak passwords, a carefully crafted dictionary attack will find
all the weak passwords within a matter of minutes and you're done.



Kenton







__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Erasing private files from Windows XP., Yousef Syed
Next by Date:  Re: RE: Highlighting weak password dangers, somebodyishere
Previous by Thread:  Re: Highlighting weak password dangers, Kenton Smith
Next by Thread:  Re: RE: Highlighting weak password dangers, somebodyishere
Indexes:  [Date] [Thread] [Top] [All Lists]