[aclug-L] Re: WeatherLab virus

[Chris Owen <owenc@xxxxxxxxxx>]

On Fri, 15 Nov 2002, Anne McCadden wrote:

> Your birthday isn't very secure because someone could easily find out
> what your birthdate is.  You also shouldn't use your nickname, pet's
> name, a standard dictionary word, etc.  Crackers normally attack with
> a script that runs a dictionary check and in different languages, then
> various configurations of your name, address, nickname, spouse's name,
> birthdate, address, SS#, abcd, xyz, and anything else that would be
> easy for you to remember.

Going through the source or documentation file for one of the cracking
programs is interesting to see what they check.  There are some real
patterns that people follow.  Things like words backwards, double letters,
every other character different case.  Many of the things people do
thinking they are being sly are exactly what the cracking programs rely on
to crack at the dictionary level.  Once you force them out of dictionary
mode and into brute force mode you have pretty much won the battle.

> 5-6 character passwords can be cracked in about 30 minutes.

If you are talking brute force crack (ie you have access to the encrypted
password as in /etc/password without shadow) then a 2Ghz P4 will evaluate
about 600,000 combinations a second.

That means that in order to try every possible combination it will take:

5 characters lowercase: 19 seconds
5 characters mixed case: 10 minutes
5 characters mixed plus numbers: 25 minutes
5 characters mixed, number plus 32 "special" on keyboard: 3.4 hours

Even introducing a single "special" character adds to the time it takes to
brute force it by an insane amount.  At 8 characters it is even more
obvious:

lowercase: 4 days
mixed case: 1031 days
mixed + #s: 4211 days
mixed, #s, special 32: 117,586 days

> Do I sound paranoid?  Yes, a little.  I know some former(?) hackers
> and I also know that there are people out on the internet with more
> time on their hands than they know what to do with.

About 18 months ago we had reason to need to store customers email
passwords in plain text.  We'd never kept track of them before (they were
only stored in crypt format).  We ran Jack the Ripper on the password for
on a 1Ghz P3 for approximately 9 months.  Out of 9,000 passwords we had
6,000 of them in 20 minutes (although this is was sped up in part because
our dictionary also included dialup passwords which were often similar to
email passwords).  Out of the 3,000 we didn't get in the first 20 minutes
it only took about a week to get another 2,500.  Within a month or so we
had all but 200.  Over the next 8 months we got approximtely 100 more.
The last 100 we gave up on.

All it takes to be in that last 100 is probably a single "special"
character.  As soon as you introduce that you increase the posibilities so
high that no one can really do much at all.

Bruteforcing a 10 character password for upper, lower, numbers and just
the 32 "specials" on the keyboard will take 2,846,562 years.  Chances are
it will get changed somewhere in that period ;-]

Chris

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris Owen                ~ Garden City (620) 275-1900 ~  Lottery (noun):
President                 ~ Wichita     (316) 858-3000 ~    A stupidity tax
Hubris Communications Inc ~       www.hubris.net       ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi