Complete.Org: Mailing Lists: Archives: discussion: November 2002:
[aclug-L] Re: WeatherLab virus
Home

[aclug-L] Re: WeatherLab virus

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: discussion@xxxxxxxxx
Subject: [aclug-L] Re: WeatherLab virus
From: Anne McCadden <ironrose@xxxxxxx>
Date: Mon, 18 Nov 2002 20:53:17 -0600
Reply-to: discussion@xxxxxxxxx

Very good question.  The people who had the most secure passwords should 
have recieved some type of reward.
Maybe I was a teacher for too long, I keep wanting to reward good behavior.

Jonathan Hall wrote:

>Did you send a congratulations notice to the 100 "winners" of your Secure
>Password contest? :)
>
>
>----- Original Message -----
>From: "Chris Owen" <owenc@xxxxxxxxxx>
>To: <discussion@xxxxxxxxx>
>Sent: Sunday, November 17, 2002 1:59 PM
>Subject: [aclug-L] Re: WeatherLab virus
>
>
>>On Fri, 15 Nov 2002, Anne McCadden wrote:
>>
>>>Your birthday isn't very secure because someone could easily find out
>>>what your birthdate is.  You also shouldn't use your nickname, pet's
>>>name, a standard dictionary word, etc.  Crackers normally attack with
>>>a script that runs a dictionary check and in different languages, then
>>>various configurations of your name, address, nickname, spouse's name,
>>>birthdate, address, SS#, abcd, xyz, and anything else that would be
>>>easy for you to remember.
>>>
>>Going through the source or documentation file for one of the cracking
>>programs is interesting to see what they check.  There are some real
>>patterns that people follow.  Things like words backwards, double letters,
>>every other character different case.  Many of the things people do
>>thinking they are being sly are exactly what the cracking programs rely on
>>to crack at the dictionary level.  Once you force them out of dictionary
>>mode and into brute force mode you have pretty much won the battle.
>>
>>>5-6 character passwords can be cracked in about 30 minutes.
>>>
>>If you are talking brute force crack (ie you have access to the encrypted
>>password as in /etc/password without shadow) then a 2Ghz P4 will evaluate
>>about 600,000 combinations a second.
>>
>>That means that in order to try every possible combination it will take:
>>
>>5 characters lowercase: 19 seconds
>>5 characters mixed case: 10 minutes
>>5 characters mixed plus numbers: 25 minutes
>>5 characters mixed, number plus 32 "special" on keyboard: 3.4 hours
>>
>>Even introducing a single "special" character adds to the time it takes to
>>brute force it by an insane amount.  At 8 characters it is even more
>>obvious:
>>
>>lowercase: 4 days
>>mixed case: 1031 days
>>mixed + #s: 4211 days
>>mixed, #s, special 32: 117,586 days
>>
>>>Do I sound paranoid?  Yes, a little.  I know some former(?) hackers
>>>and I also know that there are people out on the internet with more
>>>time on their hands than they know what to do with.
>>>
>>About 18 months ago we had reason to need to store customers email
>>passwords in plain text.  We'd never kept track of them before (they were
>>only stored in crypt format).  We ran Jack the Ripper on the password for
>>on a 1Ghz P3 for approximately 9 months.  Out of 9,000 passwords we had
>>6,000 of them in 20 minutes (although this is was sped up in part because
>>our dictionary also included dialup passwords which were often similar to
>>email passwords).  Out of the 3,000 we didn't get in the first 20 minutes
>>it only took about a week to get another 2,500.  Within a month or so we
>>had all but 200.  Over the next 8 months we got approximtely 100 more.
>>The last 100 we gave up on.
>>
>>All it takes to be in that last 100 is probably a single "special"
>>character.  As soon as you introduce that you increase the posibilities so
>>high that no one can really do much at all.
>>
>>Bruteforcing a 10 character password for upper, lower, numbers and just
>>the 32 "specials" on the keyboard will take 2,846,562 years.  Chances are
>>it will get changed somewhere in that period ;-]
>>
>>Chris
>>
>>--
>>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>>Chris Owen                ~ Garden City (620) 275-1900 ~  Lottery (noun):
>>President                 ~ Wichita     (316) 858-3000 ~    A stupidity
>>
>tax
>
>>Hubris Communications Inc ~       www.hubris.net       ~
>>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>>
>>-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>>
>>
>
>-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>
>


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]