Home page logo
/

basics logo Security Basics mailing list archives

Re: Re: RE: ADS Password Storage Protection
From: "Gregory Rubin" <grrubin () gmail com>
Date: Mon, 17 Jul 2006 15:27:33 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While dictionary attacks are very useful, the ease of remembering a
passphrase makes up for the difference (IMHO).  For example, take the
following passphrase (which I don't use anywhere):

Once upon a mid-night dreary while I pondered, "What's a door?"

Perfectly correct English and very easy to remember (especially if you
ever read the Mad spoof of "The Raven").  It also is 63 characters
long, mixed case, with symbols, and doesn't exist as a string in any
published text.  Is it really that vulnerable to dictionary attacks?

I can't remember highly complex passwords of more than about 8 to 12
characters.  Once I get too many of them, I need to start writing them
down unless I make them easy to remember, and with only 8 char. to
work with (as many of my passwords are restricticted in length) it is
very hard not to compromise the complexity while being easy to
remember.  On the other hand, I easily remember several different
passphrases of lengths ranging from 20 to (now) 63 and though there is
one that I haven't used in about a year, it is still fresh in my mind.
This reduces the problems of recording passwords in insecure
locations or needed passwords reset.

Greg

On 17 Jul 2006 19:55:09 -0000, eric.baechle () dhs gov
<eric.baechle () dhs gov> wrote:
Winshel;


Actually, a passphrase is not as secure as a random password.  As you probably have heard, "Don't use dictionary words" over and over again.  Even compound dictionary words 
are bad, ie: "firedogdalmation".  Compounding dictionary words with spaces, punctuation, and even gramatically correct modifiers in between is really no different than without.  
It's a very simple substitution to try; "firedogdalmation" and then try "fire dog dalmation", "Fire Dog Dalmation", "Dalmation the Fire Dog", 
etc.


Using compound dictionary words could come back to bite you very quickly, even when used in long phrases.


Sincerely,


Eric Baechle, CISSP/ISSEP, etc.

Senior INFOSEC/OPSEC Engineer

Department of Homeland Security

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32) - WinPT 0.11.9

iD8DBQFEvA7G5KDU23nQpRcRAibeAKDLSAujGr6/sPQb3xNObyz69QIVWwCfTk1c
N8T2LEwVcx4d+MWvaLau6tg=
=uL83
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at:
http://www.sensepost.com/training.html
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]