[aclug-L] Re: WeatherLab virus
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
Did you send a congratulations notice to the 100 "winners" of your Secure
Password contest? :)
----- Original Message -----
From: "Chris Owen" <owenc@xxxxxxxxxx>
To: <discussion@xxxxxxxxx>
Sent: Sunday, November 17, 2002 1:59 PM
Subject: [aclug-L] Re: WeatherLab virus
>
> On Fri, 15 Nov 2002, Anne McCadden wrote:
>
> > Your birthday isn't very secure because someone could easily find out
> > what your birthdate is. You also shouldn't use your nickname, pet's
> > name, a standard dictionary word, etc. Crackers normally attack with
> > a script that runs a dictionary check and in different languages, then
> > various configurations of your name, address, nickname, spouse's name,
> > birthdate, address, SS#, abcd, xyz, and anything else that would be
> > easy for you to remember.
>
> Going through the source or documentation file for one of the cracking
> programs is interesting to see what they check. There are some real
> patterns that people follow. Things like words backwards, double letters,
> every other character different case. Many of the things people do
> thinking they are being sly are exactly what the cracking programs rely on
> to crack at the dictionary level. Once you force them out of dictionary
> mode and into brute force mode you have pretty much won the battle.
>
> > 5-6 character passwords can be cracked in about 30 minutes.
>
> If you are talking brute force crack (ie you have access to the encrypted
> password as in /etc/password without shadow) then a 2Ghz P4 will evaluate
> about 600,000 combinations a second.
>
> That means that in order to try every possible combination it will take:
>
> 5 characters lowercase: 19 seconds
> 5 characters mixed case: 10 minutes
> 5 characters mixed plus numbers: 25 minutes
> 5 characters mixed, number plus 32 "special" on keyboard: 3.4 hours
>
> Even introducing a single "special" character adds to the time it takes to
> brute force it by an insane amount. At 8 characters it is even more
> obvious:
>
> lowercase: 4 days
> mixed case: 1031 days
> mixed + #s: 4211 days
> mixed, #s, special 32: 117,586 days
>
> > Do I sound paranoid? Yes, a little. I know some former(?) hackers
> > and I also know that there are people out on the internet with more
> > time on their hands than they know what to do with.
>
> About 18 months ago we had reason to need to store customers email
> passwords in plain text. We'd never kept track of them before (they were
> only stored in crypt format). We ran Jack the Ripper on the password for
> on a 1Ghz P3 for approximately 9 months. Out of 9,000 passwords we had
> 6,000 of them in 20 minutes (although this is was sped up in part because
> our dictionary also included dialup passwords which were often similar to
> email passwords). Out of the 3,000 we didn't get in the first 20 minutes
> it only took about a week to get another 2,500. Within a month or so we
> had all but 200. Over the next 8 months we got approximtely 100 more.
> The last 100 we gave up on.
>
> All it takes to be in that last 100 is probably a single "special"
> character. As soon as you introduce that you increase the posibilities so
> high that no one can really do much at all.
>
> Bruteforcing a 10 character password for upper, lower, numbers and just
> the 32 "specials" on the keyboard will take 2,846,562 years. Chances are
> it will get changed somewhere in that period ;-]
>
> Chris
>
> --
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun):
> President ~ Wichita (316) 858-3000 ~ A stupidity
tax
> Hubris Communications Inc ~ www.hubris.net ~
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> -- This is the discussion@xxxxxxxxx list. To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>
>
-- This is the discussion@xxxxxxxxx list. To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
- [aclug-L] Re: WeatherLab virus, (continued)
- Message not available
- [aclug-L] Re: WeatherLab virus, Jonathan Hall, 2002/11/15
- [aclug-L] Re: WeatherLab virus, Robert Bottorff, 2002/11/16
- Message not available
- [aclug-L] Re: WeatherLab virus, Anne McCadden, 2002/11/15
- [aclug-L] Re: WeatherLab virus, Chris Owen, 2002/11/17
- [aclug-L] Re: WeatherLab virus, Carl Davis, 2002/11/18
- [aclug-L] Re: WeatherLab virus, Arnold Cavazos Jr., 2002/11/18
- [aclug-L] Re: WeatherLab virus,
Jonathan Hall <=
- [aclug-L] Re: WeatherLab virus, Anne McCadden, 2002/11/18
- [aclug-L] Re: WeatherLab virus, Chris Owen, 2002/11/18
- [aclug-L] Re: WeatherLab virus, Carl D Cravens, 2002/11/19
- [aclug-L] Re: WeatherLab virus, Chris Owen, 2002/11/19
- Message not available
- [aclug-L] Re: WeatherLab virus, Anne McCadden, 2002/11/15
- [aclug-L] Re: WeatherLab virus, gLaNDix (Jesse Kaufman), 2002/11/16
[aclug-L] Re: WeatherLab virus, gLaNDix (Jesse Kaufman), 2002/11/14
[aclug-L] Re: WeatherLab virus, Jeff Vian, 2002/11/14
|
|