Date: Fri, 15 Aug 2003 23:43:28 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: "Gary W. Swearingen" <underway@comcast.net> Cc: Glenn Johnson <gjohnson@srrc.ars.usda.gov> Subject: Re: password strength checking not consistently implemented Message-ID: <3F3DD290.D237F6D2@mindspring.com> References: <20030814225453.GA1385@node1.cluster.srrc.usda.gov> <3F3C9E22.D24F3C0A@mindspring.com> <9ek79edgvu.79e@mail.comcast.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Gary W. Swearingen" wrote: > I'd think that that would depend on the people choosing passwords and > whether the cracker is going after one particular user or just any one > of many. I'd expect it, on average, to take a lot less long if you > start your search well: "password", "drowssap", etc. > > (I guess it makes sense that "A. Hacker" WOULD try to discourage > password strength checking. :) > > This reminds me of the guy who insisted on setting his lock with truly > random numbers and his truly random number generator spit out 0, 0, 0 > (or whatever the factory default was). You're assuming that everyone uses dictionary attacks, which is really not true these days. Actually, thanks to strength-checkers, most crackers have switched to brute-force, since dictionary attacks no longer work. For some definitions of "strength checking", they can also ignore the search space where passwords contain all alphabetic characters. In general, they pick an account and brute force the password for a single account (or all accounts with a given salt). This begs the question of how, if you aren't running NIS, they got access to your shadow password file in the first place. -- Terry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F3DD290.D237F6D2>