Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: looking for a webapp bruteforce video for non-techies
From: "Robin Wood" <dninja () gmail com>
Date: Tue, 3 Jun 2008 18:09:38 +0100

2008/6/3 Paul Melson <pmelson () gmail com>:
That may not actually be such a bad password (on balance and in
context).  Sure it is a dictionary/leet word variant, but five
characters actually carry plenty of entropy (if mixed case and numerics
are also used).  However, if you have an authentication mechanism that
doesn't lock out an account and *allows* brute forcing, it doesn't
really matter how strong the password is; given enough
universe-lifetimes an attacker will always guess it eventually.

I second Martin's comment.  There's no point in talking to users about
password selection if the application doesn't A) lock the account after X
number of failed attempts *AND* B) force password expiration/rotation.
There's a very basic mathematical formula found in the Department of Defense
Password Management Guideline[1] that can be used to calculate the risk
associated with any particular password policy versus brute force guessing.
Definitely required reading for anyone designing or specifying a password
authentication mechanism.

Let me restate the question:

I have a client who uses the same, really easy, really guessable
password for all the sites he visits. It is a 5 letter word with one
character changed to a numeric, if you know his name, you'll probably
guess his password within a couple of attempts.

I've explained the problem with this to him and I've preached as much
as I can. I know all about secure passwords, entropy and stuff like
that but all I want is a couple of minute video that shows someone
launching something like hydra, setting it up by clicking a few
buttons, clicking go then a few minutes later a password pops out
somewhere.

All I'm after is the viewer sitting back and going "wow, is it that
easy to break my password" then going through and changing it to
something a more secure.

So, I'm not after advice on how to build a secure login system, just a
video to scare users with.

Robin

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]