Date: Wed, 18 Sep 2002 16:49:37 -0700 (PDT) From: Jason Stone <jason-fbsd-security@shalott.net> To: <freebsd-security@FreeBSD.ORG> Subject: Re: Password Security Policy Question Message-ID: <20020918162641.P76675-100000@walter> In-Reply-To: <20020918201336.17551.qmail@web10101.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > While we're on the subject of passwords, I'm considering setting up a > semi-dedicated box to do some password cracking at work. Is there a > good paper on how to set up some good libraries? I have john the > ripper running right now but the default ability to crack passwds > isn't very good (I threw it some obvious ones...didn't get them). > > Also, is there anything involved in this process aside from raw CPU > time? For the next time I get to build a box, it'd be good to know. If you're just brute forcing sequentially or randomly, then no, it's all about the CPU. Usually, though, it's possible to be a little bit smarter by using dictionaries. I've used crack for this in the past - you feed it one or more big dictionaries, and it applies a bunch of mangling rules to each dictionary entry to generate a really big list which it then tries against the password file. It allows you to supply your own sets of mangling rules and supports weighted spreading of the work across multiple hosts if you have ssh access to all of them (and preferably nfs, though it's not necesary). It's in ports/security/crack if you want to have a go, but be aware of any corporate or university policies that may affect you as well as the legal ramifications of running a program like this. More than one well meaning sysadmin has been sacked, fined, sued or worse just for running crack.... -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9iRERswXMWWtptckRAkl7AJ48s6BIS0dEp45rJalVgvlnRKIxzACfZ75G 0P8Fxk95GTbFwkQvcrXQxBA= =Knre -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020918162641.P76675-100000>