Home page logo

pen-test logo Penetration Testing mailing list archives

Education End Users about Passwords - Was - RE: john the ripper
From: "Thompson, Jimi" <JimiT () mail cox smu edu>
Date: Mon, 8 Dec 2003 17:05:29 -0600


My personal experience is that I would rather have a user with a relative
week (6 digit) password that isn't susceptible to a simple dictionary attack
AND that doesn't have it written on a sticky note AND knows not to give it
out over the phone.  User education is far more important than the length of
the password.  

The most important thing is explaining to users how they can generate their
own "hard" passwords.  The algorithm that I teach them is this:

1. Pick a sentence that has meaning for you and that you will remember.
        i.e. I work at cox today.
2. All consonants (or all vowels) become UPPERCASE characters.
3. All vowels (or all consonants as it is the opposite of rule 2) become
lower case characters.
4. Words like to and for become numbers.
5. Words like at and "and" become symbols (@ and &)
6. Add some character to the end like ! or #

now my password is iW () C2day! 

Once they get this simple thing down, getting them to choose "strong"
passwords becomes infinitely easier, because they now have a mnemonic device
to recall the password - the primary end user complaint about using "strong"
passwords.  If they can remember it, they are also a lot less likely to use
the nefarious sticky note.  Then all you have to worry about is making sure
that they know not to give it out over the phone, which frankly, is the
easiest method of "cracking" a password.

2 cents,


-----Original Message-----
From: OBrien, Brennan [mailto:BOBrien () columbia com] 
Sent: Monday, December 08, 2003 1:38 PM
To: falcon () secureconsulting net; pen-test () securityfocus com
Subject: RE: john the ripper

Okay, I hear what you're saying about the amount of time being used and
all... but.. 

If your users are like the ones I've seen, that "reasonably strong"
password (such as &Y6N8gg0 -- presumably strong) is just going to get
written down on a sticky tab and put on the users monitor or under their
keyboard.  The point is, while you've done a great job creating a strong
keyspace which is difficult to break, I may open up a bigger problem.
The goal is to get through the proverbial wall.  Whether I do that by
breaking through the bricks or scaling it or just going around, it
doesn't really matter to me.  If I make the wall thicker, that just
moves the problem -- I'm still interested in getting to the other side,
and I know I won't be able break through it, so off I go to find a
different solution... 

Just my thoughts. 

-----Original Message-----
From: Benjamin Tomhave [mailto:falcon () secureconsulting net] 
Sent: Monday, December 08, 2003 10:58 AM
To: pen-test () securityfocus com
Subject: RE: john the ripper

Scary numbers...so, semi-drifting question: how long is an "acceptable"
length of time to run a cracker before pronouncing that uncracked
are "reasonably strong and well-chosen"?

-----Original Message-----
From: Mike [mailto:myname17 () bellsouth net]
Sent: Monday, December 08, 2003 3:45 AM
To: Giacomo; pen-test () securityfocus com
Subject: Re: john the ripper

I recently did a little research on this, and if the password was
well chosen
you will not find the password.

An 8 character password, based on a 72 character set (26 lower
case letters,
26 uppercase letters, 10 digits, and 10 special characters)
results in 72^8
or 7.2x10^14 possible passwords.  My reference PC was only able
to crack at
1500c/s.  Doing the math reveals that 150,000 years would be required
crack all combinations, or 75,000 years on average.  For a 12
password the result was 2,000,000,000,000 years.

If my math is wrong, please break it to me gently.


On Tuesday 02 December 2003 10:52 am, Giacomo wrote:
Hi all

I am tryning to crack cisco md5 password.
Currently I am using a Athlon XP2500barton at 2300mhz, after 17days
continue to crack at 3800c/s (it started at 4500c/s).
I am asking myself and all of you what is the best system (hardware)
crack md5 password.
I am thinking that the best way Is the powerfull (mhz) i386 in
I've tried OpenMosix with 4 p500 nodes with john and cisilia, but
without lucky results.
The sun 280 (dual 64bits cpu at 900mhz) go to a poor 900c/s

which is you reference system to use john on md5 password ?








  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]