[aclug-L] Re: WeatherLab virus
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
Very good question. The people who had the most secure passwords should
have recieved some type of reward.
Maybe I was a teacher for too long, I keep wanting to reward good behavior.
Jonathan Hall wrote:
>Did you send a congratulations notice to the 100 "winners" of your Secure
>Password contest? :)
>
>
>----- Original Message -----
>From: "Chris Owen" <owenc@xxxxxxxxxx>
>To: <discussion@xxxxxxxxx>
>Sent: Sunday, November 17, 2002 1:59 PM
>Subject: [aclug-L] Re: WeatherLab virus
>
>
>>On Fri, 15 Nov 2002, Anne McCadden wrote:
>>
>>>Your birthday isn't very secure because someone could easily find out
>>>what your birthdate is. You also shouldn't use your nickname, pet's
>>>name, a standard dictionary word, etc. Crackers normally attack with
>>>a script that runs a dictionary check and in different languages, then
>>>various configurations of your name, address, nickname, spouse's name,
>>>birthdate, address, SS#, abcd, xyz, and anything else that would be
>>>easy for you to remember.
>>>
>>Going through the source or documentation file for one of the cracking
>>programs is interesting to see what they check. There are some real
>>patterns that people follow. Things like words backwards, double letters,
>>every other character different case. Many of the things people do
>>thinking they are being sly are exactly what the cracking programs rely on
>>to crack at the dictionary level. Once you force them out of dictionary
>>mode and into brute force mode you have pretty much won the battle.
>>
>>>5-6 character passwords can be cracked in about 30 minutes.
>>>
>>If you are talking brute force crack (ie you have access to the encrypted
>>password as in /etc/password without shadow) then a 2Ghz P4 will evaluate
>>about 600,000 combinations a second.
>>
>>That means that in order to try every possible combination it will take:
>>
>>5 characters lowercase: 19 seconds
>>5 characters mixed case: 10 minutes
>>5 characters mixed plus numbers: 25 minutes
>>5 characters mixed, number plus 32 "special" on keyboard: 3.4 hours
>>
>>Even introducing a single "special" character adds to the time it takes to
>>brute force it by an insane amount. At 8 characters it is even more
>>obvious:
>>
>>lowercase: 4 days
>>mixed case: 1031 days
>>mixed + #s: 4211 days
>>mixed, #s, special 32: 117,586 days
>>
>>>Do I sound paranoid? Yes, a little. I know some former(?) hackers
>>>and I also know that there are people out on the internet with more
>>>time on their hands than they know what to do with.
>>>
>>About 18 months ago we had reason to need to store customers email
>>passwords in plain text. We'd never kept track of them before (they were
>>only stored in crypt format). We ran Jack the Ripper on the password for
>>on a 1Ghz P3 for approximately 9 months. Out of 9,000 passwords we had
>>6,000 of them in 20 minutes (although this is was sped up in part because
>>our dictionary also included dialup passwords which were often similar to
>>email passwords). Out of the 3,000 we didn't get in the first 20 minutes
>>it only took about a week to get another 2,500. Within a month or so we
>>had all but 200. Over the next 8 months we got approximtely 100 more.
>>The last 100 we gave up on.
>>
>>All it takes to be in that last 100 is probably a single "special"
>>character. As soon as you introduce that you increase the posibilities so
>>high that no one can really do much at all.
>>
>>Bruteforcing a 10 character password for upper, lower, numbers and just
>>the 32 "specials" on the keyboard will take 2,846,562 years. Chances are
>>it will get changed somewhere in that period ;-]
>>
>>Chris
>>
>>--
>>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>>Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun):
>>President ~ Wichita (316) 858-3000 ~ A stupidity
>>
>tax
>
>>Hubris Communications Inc ~ www.hubris.net ~
>>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>>
>>-- This is the discussion@xxxxxxxxx list. To unsubscribe,
>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>>
>>
>
>-- This is the discussion@xxxxxxxxx list. To unsubscribe,
>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>
>
-- This is the discussion@xxxxxxxxx list. To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
- [aclug-L] Re: WeatherLab virus, (continued)
- Message not available
- [aclug-L] Re: WeatherLab virus, Jonathan Hall, 2002/11/15
- [aclug-L] Re: WeatherLab virus, Robert Bottorff, 2002/11/16
- Message not available
- [aclug-L] Re: WeatherLab virus, Anne McCadden, 2002/11/15
- [aclug-L] Re: WeatherLab virus, Chris Owen, 2002/11/17
- [aclug-L] Re: WeatherLab virus, Carl Davis, 2002/11/18
- [aclug-L] Re: WeatherLab virus, Arnold Cavazos Jr., 2002/11/18
- [aclug-L] Re: WeatherLab virus, Jonathan Hall, 2002/11/18
- [aclug-L] Re: WeatherLab virus,
Anne McCadden <=
- [aclug-L] Re: WeatherLab virus, Chris Owen, 2002/11/18
- [aclug-L] Re: WeatherLab virus, Carl D Cravens, 2002/11/19
- [aclug-L] Re: WeatherLab virus, Chris Owen, 2002/11/19
- Message not available
- [aclug-L] Re: WeatherLab virus, Anne McCadden, 2002/11/15
- [aclug-L] Re: WeatherLab virus, gLaNDix (Jesse Kaufman), 2002/11/16
[aclug-L] Re: WeatherLab virus, gLaNDix (Jesse Kaufman), 2002/11/14
[aclug-L] Re: WeatherLab virus, Jeff Vian, 2002/11/14
|
|
