Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Education End Users about Passwords - Was - RE: john the ripper
From: "Micheal Thompson" <MThompson () brinkster com>
Date: Tue, 9 Dec 2003 12:19:49 -0500

End User education is the greatest defense. People are often the weakest
link. One step further is the educations of the social and physical
aspects of security. 

Case and point I was performing a pen-test for a financial institution.
I walked in and ask to see the manager. I told the manager that I had to
open an account for a business that I was president of. I had the bank
give myself bogus papers and presented those papers to the manager.
After about five minutes of building a rapport I spilt my water that I
got from the waiting room on here blouse. She left the room and left me
in there. She did not even lock here machine. I just slipped a floppy
into the A: and load the DISK that had some goodies on it. 

The point is Physical security is just as important as passwords. As you
guys know most machines can be raped if you have physical access to

Sorry for going off thread just want to bring this up.

-----Original Message-----
From: Thompson, Jimi [mailto:JimiT () mail cox smu edu] 
Sent: Monday, December 08, 2003 6:05 PM
To: pen-test () securityfocus com
Subject: Education End Users about Passwords - Was - RE: john the ripper


My personal experience is that I would rather have a user with a
week (6 digit) password that isn't susceptible to a simple dictionary
AND that doesn't have it written on a sticky note AND knows not to give
out over the phone.  User education is far more important than the
length of
the password.  

The most important thing is explaining to users how they can generate
own "hard" passwords.  The algorithm that I teach them is this:

1. Pick a sentence that has meaning for you and that you will remember.
        i.e. I work at cox today.
2. All consonants (or all vowels) become UPPERCASE characters.
3. All vowels (or all consonants as it is the opposite of rule 2) become
lower case characters.
4. Words like to and for become numbers.
5. Words like at and "and" become symbols (@ and &)
6. Add some character to the end like ! or #

now my password is iW () C2day! 

Once they get this simple thing down, getting them to choose "strong"
passwords becomes infinitely easier, because they now have a mnemonic
to recall the password - the primary end user complaint about using
passwords.  If they can remember it, they are also a lot less likely to
the nefarious sticky note.  Then all you have to worry about is making
that they know not to give it out over the phone, which frankly, is the
easiest method of "cracking" a password.

2 cents,


-----Original Message-----
From: OBrien, Brennan [mailto:BOBrien () columbia com] 
Sent: Monday, December 08, 2003 1:38 PM
To: falcon () secureconsulting net; pen-test () securityfocus com
Subject: RE: john the ripper

Okay, I hear what you're saying about the amount of time being used and
all... but.. 

If your users are like the ones I've seen, that "reasonably strong"
password (such as &Y6N8gg0 -- presumably strong) is just going to get
written down on a sticky tab and put on the users monitor or under their
keyboard.  The point is, while you've done a great job creating a strong
keyspace which is difficult to break, I may open up a bigger problem.
The goal is to get through the proverbial wall.  Whether I do that by
breaking through the bricks or scaling it or just going around, it
doesn't really matter to me.  If I make the wall thicker, that just
moves the problem -- I'm still interested in getting to the other side,
and I know I won't be able break through it, so off I go to find a
different solution... 

Just my thoughts. 

-----Original Message-----
From: Benjamin Tomhave [mailto:falcon () secureconsulting net] 
Sent: Monday, December 08, 2003 10:58 AM
To: pen-test () securityfocus com
Subject: RE: john the ripper

Scary numbers...so, semi-drifting question: how long is an "acceptable"
length of time to run a cracker before pronouncing that uncracked
are "reasonably strong and well-chosen"?

-----Original Message-----
From: Mike [mailto:myname17 () bellsouth net]
Sent: Monday, December 08, 2003 3:45 AM
To: Giacomo; pen-test () securityfocus com
Subject: Re: john the ripper

I recently did a little research on this, and if the password was
well chosen
you will not find the password.

An 8 character password, based on a 72 character set (26 lower
case letters,
26 uppercase letters, 10 digits, and 10 special characters)
results in 72^8
or 7.2x10^14 possible passwords.  My reference PC was only able
to crack at
1500c/s.  Doing the math reveals that 150,000 years would be required
crack all combinations, or 75,000 years on average.  For a 12
password the result was 2,000,000,000,000 years.

If my math is wrong, please break it to me gently.


On Tuesday 02 December 2003 10:52 am, Giacomo wrote:
Hi all

I am tryning to crack cisco md5 password.
Currently I am using a Athlon XP2500barton at 2300mhz, after 17days
continue to crack at 3800c/s (it started at 4500c/s).
I am asking myself and all of you what is the best system (hardware)
crack md5 password.
I am thinking that the best way Is the powerfull (mhz) i386 in
I've tried OpenMosix with 4 p500 nodes with john and cisilia, but
without lucky results.
The sun 280 (dual 64bits cpu at 900mhz) go to a poor 900c/s

which is you reference system to use john on md5 password ?









  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]