From owner-freebsd-questions Mon Dec 23 14:57:56 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B66F37B401 for ; Mon, 23 Dec 2002 14:57:52 -0800 (PST) Received: from buffnet4.buffnet.net (buffnet4.buffnet.net [205.246.19.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D38443EDC for ; Mon, 23 Dec 2002 14:57:51 -0800 (PST) (envelope-from shovey@buffnet.net) Received: from buffnet11.buffnet.net (buffnet11.buffnet.net [205.246.19.55]) by buffnet4.buffnet.net (8.9.3/8.8.7) with ESMTP id RAA20779; Mon, 23 Dec 2002 17:57:51 -0500 (EST) (envelope-from shovey@buffnet.net) Date: Mon, 23 Dec 2002 17:57:48 -0500 (EST) From: Stephen Hovey To: paul beard Cc: FreeBSD Questions Subject: Re: L0phtcrack In-Reply-To: <3E0791D4.4090407@mac.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ive used such utilities in the past.. Basically, the only way a legit admin can secure things, is if they have access to the same tech the bad guys use.. otherwise they can never be really certain they have things shored up. On Mon, 23 Dec 2002, paul beard wrote: > Stacey Roberts wrote: > > > > > Why would you want to do this? Personally, I figure its prudent to ask. > > > It does have some legitimate uses, according to this page ( > http://www.atstake.com/research/lc/ ): > > > Consider that at one of the largest technology companies, where > > policy required that passwords exceed 8 characters, mix cases, > > and include numbers or symbols... > > > > * L0phtCrack obtained 18% of the passwords in 10 minutes > > * 90% of the passwords were recovered within 48 hours on a Pentium > > II/300 > > * The Administrator and most Domain Admin passwords were > > cracked > > > > It doesn't have to be this way. Crack-resistant passwords are > > achievable and practical. But password auditing is the only > > sure way to identify user accounts with weak passwords. LC4 > > offers an easy and adaptable way to address this threat and > > find vulnerable passwords. > > > Take it from a 1998 Microsoft security bulletin: > > > > "consider evaluating a tool such as L0phtcrack 2.0 for > > assisting in checking the quality of user passwords." > > > > -- > Paul Beard: seeking UNIX/internet engineering work > > 8040 27th Ave NE Seattle WA 98115 / 206 529 8400 > > "Laughter is the closest distance between two people." > -- Victor Borge > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message