Re: Not so much a bug as a warning of new brute force attack

[thayne () xmission com (Thayne Forbes)]

> On Mon, 3 Jun 1996, Brett L. Hawn wrote:
> > You can lead a user to a good password but you can only make them use it for
> > so long.
> What about a fascist passwd program which refers to a dictionary and
> rejects "easy" passwords? Does such an animal exist?

There are about a dozen of such animals.  In fact, there is one in 'Programming
Perl' as example code.  Npasswd and passwd+ both do this if I recall correctly.

> > Not to mention anyone with the time and desire can create a fairly
> > nifty 'dictfile' like I did a few years back. All it takes is some simple
> > brain power and a LOT of disk space, a quick file that prints all variations
> > of 5-8 charater length combinations to a file. I stopped mine at 238megs and
> > it was still going strong.
>
> I think this one comes under the heading of "brute force attack" - just
> with alphanumerics (a-z,A-Z,0-9) you're looking at needing 62^8 entries
> for a complete set of 8 character passwords. It's probably faster to try
> and decrypt the passwd file entry directly.

But maybe you have missed the point.  If all you need to do is crack ANY account
on a system, then a dictionary of about 20,000 words and about 100 rules is
enough.[1]  You can do this on a PeeCee in a couple of hours.  There IS a point
of diminishing returns when we constrain the passwords of users, but allowing
them to use ANY silly password that crosses their mind is something that ought
to be illegal.

[1] On systems with no passwd rules for users, I usually get one crack on
/usr/dict/words, with no permutations applied.