From owner-freebsd-security Wed Sep 18 16:49:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 432C037B401 for ; Wed, 18 Sep 2002 16:49:43 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA4FC43E75 for ; Wed, 18 Sep 2002 16:49:42 -0700 (PDT) (envelope-from jason@shalott.net) Received: (qmail 3356 invoked by uid 1000); 18 Sep 2002 23:49:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Sep 2002 23:49:37 -0000 Date: Wed, 18 Sep 2002 16:49:37 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: Password Security Policy Question In-Reply-To: <20020918201336.17551.qmail@web10101.mail.yahoo.com> Message-ID: <20020918162641.P76675-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > While we're on the subject of passwords, I'm considering setting up a > semi-dedicated box to do some password cracking at work. Is there a > good paper on how to set up some good libraries? I have john the > ripper running right now but the default ability to crack passwds > isn't very good (I threw it some obvious ones...didn't get them). > > Also, is there anything involved in this process aside from raw CPU > time? For the next time I get to build a box, it'd be good to know. If you're just brute forcing sequentially or randomly, then no, it's all about the CPU. Usually, though, it's possible to be a little bit smarter by using dictionaries. I've used crack for this in the past - you feed it one or more big dictionaries, and it applies a bunch of mangling rules to each dictionary entry to generate a really big list which it then tries against the password file. It allows you to supply your own sets of mangling rules and supports weighted spreading of the work across multiple hosts if you have ssh access to all of them (and preferably nfs, though it's not necesary). It's in ports/security/crack if you want to have a go, but be aware of any corporate or university policies that may affect you as well as the legal ramifications of running a program like this. More than one well meaning sysadmin has been sacked, fined, sued or worse just for running crack.... -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9iRERswXMWWtptckRAkl7AJ48s6BIS0dEp45rJalVgvlnRKIxzACfZ75G 0P8Fxk95GTbFwkQvcrXQxBA= =Knre -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message