Complete.Org: Mailing Lists: Archives: discussion: November 2002:
[aclug-L] Re: WeatherLab virus
Home

[aclug-L] Re: WeatherLab virus

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: discussion@xxxxxxxxx
Subject: [aclug-L] Re: WeatherLab virus
From: "Jonathan Hall" <flimzy@xxxxxxxxxx>
Date: Mon, 18 Nov 2002 13:59:07 -0600
Reply-to: discussion@xxxxxxxxx

Did you send a congratulations notice to the 100 "winners" of your Secure
Password contest? :)


----- Original Message -----
From: "Chris Owen" <owenc@xxxxxxxxxx>
To: <discussion@xxxxxxxxx>
Sent: Sunday, November 17, 2002 1:59 PM
Subject: [aclug-L] Re: WeatherLab virus


>
> On Fri, 15 Nov 2002, Anne McCadden wrote:
>
> > Your birthday isn't very secure because someone could easily find out
> > what your birthdate is.  You also shouldn't use your nickname, pet's
> > name, a standard dictionary word, etc.  Crackers normally attack with
> > a script that runs a dictionary check and in different languages, then
> > various configurations of your name, address, nickname, spouse's name,
> > birthdate, address, SS#, abcd, xyz, and anything else that would be
> > easy for you to remember.
>
> Going through the source or documentation file for one of the cracking
> programs is interesting to see what they check.  There are some real
> patterns that people follow.  Things like words backwards, double letters,
> every other character different case.  Many of the things people do
> thinking they are being sly are exactly what the cracking programs rely on
> to crack at the dictionary level.  Once you force them out of dictionary
> mode and into brute force mode you have pretty much won the battle.
>
> > 5-6 character passwords can be cracked in about 30 minutes.
>
> If you are talking brute force crack (ie you have access to the encrypted
> password as in /etc/password without shadow) then a 2Ghz P4 will evaluate
> about 600,000 combinations a second.
>
> That means that in order to try every possible combination it will take:
>
> 5 characters lowercase: 19 seconds
> 5 characters mixed case: 10 minutes
> 5 characters mixed plus numbers: 25 minutes
> 5 characters mixed, number plus 32 "special" on keyboard: 3.4 hours
>
> Even introducing a single "special" character adds to the time it takes to
> brute force it by an insane amount.  At 8 characters it is even more
> obvious:
>
> lowercase: 4 days
> mixed case: 1031 days
> mixed + #s: 4211 days
> mixed, #s, special 32: 117,586 days
>
> > Do I sound paranoid?  Yes, a little.  I know some former(?) hackers
> > and I also know that there are people out on the internet with more
> > time on their hands than they know what to do with.
>
> About 18 months ago we had reason to need to store customers email
> passwords in plain text.  We'd never kept track of them before (they were
> only stored in crypt format).  We ran Jack the Ripper on the password for
> on a 1Ghz P3 for approximately 9 months.  Out of 9,000 passwords we had
> 6,000 of them in 20 minutes (although this is was sped up in part because
> our dictionary also included dialup passwords which were often similar to
> email passwords).  Out of the 3,000 we didn't get in the first 20 minutes
> it only took about a week to get another 2,500.  Within a month or so we
> had all but 200.  Over the next 8 months we got approximtely 100 more.
> The last 100 we gave up on.
>
> All it takes to be in that last 100 is probably a single "special"
> character.  As soon as you introduce that you increase the posibilities so
> high that no one can really do much at all.
>
> Bruteforcing a 10 character password for upper, lower, numbers and just
> the 32 "specials" on the keyboard will take 2,846,562 years.  Chances are
> it will get changed somewhere in that period ;-]
>
> Chris
>
> --
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Chris Owen                ~ Garden City (620) 275-1900 ~  Lottery (noun):
> President                 ~ Wichita     (316) 858-3000 ~    A stupidity
tax
> Hubris Communications Inc ~       www.hubris.net       ~
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>
>

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]