From: Thompson, Jimi (JimiT@mail.cox.smu.edu)
Date: Mon Dec 08 2003 - 18:05:29 EST
All,
My personal experience is that I would rather have a user with a relative
week (6 digit) password that isn't susceptible to a simple dictionary attack
AND that doesn't have it written on a sticky note AND knows not to give it
out over the phone. User education is far more important than the length of
the password.
The most important thing is explaining to users how they can generate their
own "hard" passwords. The algorithm that I teach them is this:
1. Pick a sentence that has meaning for you and that you will remember.
i.e. I work at cox today.
2. All consonants (or all vowels) become UPPERCASE characters.
3. All vowels (or all consonants as it is the opposite of rule 2) become
lower case characters.
4. Words like to and for become numbers.
5. Words like at and "and" become symbols (@ and &)
6. Add some character to the end like ! or #
now my password is iW@C2day!
Once they get this simple thing down, getting them to choose "strong"
passwords becomes infinitely easier, because they now have a mnemonic device
to recall the password - the primary end user complaint about using "strong"
passwords. If they can remember it, they are also a lot less likely to use
the nefarious sticky note. Then all you have to worry about is making sure
that they know not to give it out over the phone, which frankly, is the
easiest method of "cracking" a password.
2 cents,
Jimi
-----Original Message-----
From: OBrien, Brennan [mailto:BOBrien@columbia.com]
Sent: Monday, December 08, 2003 1:38 PM
To: falcon@secureconsulting.net; pen-test@securityfocus.com
Subject: RE: john the ripper
Okay, I hear what you're saying about the amount of time being used and
all... but..
If your users are like the ones I've seen, that "reasonably strong"
password (such as &Y6N8gg0 -- presumably strong) is just going to get
written down on a sticky tab and put on the users monitor or under their
keyboard. The point is, while you've done a great job creating a strong
keyspace which is difficult to break, I may open up a bigger problem.
The goal is to get through the proverbial wall. Whether I do that by
breaking through the bricks or scaling it or just going around, it
doesn't really matter to me. If I make the wall thicker, that just
moves the problem -- I'm still interested in getting to the other side,
and I know I won't be able break through it, so off I go to find a
different solution...
Just my thoughts.
-----Original Message-----
From: Benjamin Tomhave [mailto:falcon@secureconsulting.net]
Sent: Monday, December 08, 2003 10:58 AM
To: pen-test@securityfocus.com
Subject: RE: john the ripper
Scary numbers...so, semi-drifting question: how long is an "acceptable"
length of time to run a cracker before pronouncing that uncracked
passwords
are "reasonably strong and well-chosen"?
> -----Original Message-----
> From: Mike [mailto:myname17@bellsouth.net]
> Sent: Monday, December 08, 2003 3:45 AM
> To: Giacomo; pen-test@securityfocus.com
> Subject: Re: john the ripper
>
>
> I recently did a little research on this, and if the password was
> well chosen
> you will not find the password.
>
> An 8 character password, based on a 72 character set (26 lower
> case letters,
> 26 uppercase letters, 10 digits, and 10 special characters)
> results in 72^8
> or 7.2x10^14 possible passwords. My reference PC was only able
> to crack at
> 1500c/s. Doing the math reveals that 150,000 years would be required
to
> crack all combinations, or 75,000 years on average. For a 12
character
> password the result was 2,000,000,000,000 years.
>
> If my math is wrong, please break it to me gently.
>
> Mike
>
> On Tuesday 02 December 2003 10:52 am, Giacomo wrote:
> > Hi all
> >
> > I am tryning to crack cisco md5 password.
> > Currently I am using a Athlon XP2500barton at 2300mhz, after 17days
john
> > continue to crack at 3800c/s (it started at 4500c/s).
> > I am asking myself and all of you what is the best system (hardware)
to
> > crack md5 password.
> > I am thinking that the best way Is the powerfull (mhz) i386 in
commerce.
> > I've tried OpenMosix with 4 p500 nodes with john and cisilia, but
> > without lucky results.
> > The sun 280 (dual 64bits cpu at 900mhz) go to a poor 900c/s
> >
> > which is you reference system to use john on md5 password ?
> >
> > Giacomo
> >
> >
> >
> >
> ------------------------------------------------------------------
> ---------
> >
> ------------------------------------------------------------------
> ---------
> >-
>
>
> ------------------------------------------------------------------
> ---------
> ------------------------------------------------------------------
> ----------
>
>
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT