On Thu, 10 May 2001, ajh wrote:
> value can be found. But brute force attacks like this are pretty
> expensive even when using the standard UNIX crypt() function.
not really... i used to run a password cracker in uni and it would
turn up accounts usually within 5 minutes.. that was on an SGI Indy
with something like a 100MHz R4k CPU. Pentium 133 found them even
weak passwords will be cracked with no effort. the more users -> the
more weak passwords.
and crackers are very sophisticated. if i left it running long enough,
it'd start finding what people might think are tough passwords, eg:
> A lot of distros are also using other encryption methods like md5
> which is even more processor expensive to brute force.
they're not expensive to brute force. they're still vulnerable to
> Having a policy/procedure of regular password changes will solve
no.. people will just rotate through a set of weak passwords. but they
can be useful to make sure dormant accounts can not be accessed.
Solution is check new passwords against a dictionary of words / words
with numerical substitions, as RH has done by default for a while.
(through pam_pwdb i think).
> > Presumably this doesn't matter if I use ssh?...
>> Someone could in theory brute force logins using every possible
> combination, but there are always easier ways, especially in a college
> network of getting elevated access.
running a crack programme is something any fool can do... root
exploits generally take a bit more research at least.
i had access to the uni machines for many a month after i left, simply
because of crack - using the accounts it found. had i been in any way
clueful i would never have been found...
there's a hell of lot of clueless folks out there. and by regularly
running crack against your password file / NIS passwd.byname map you
can guard against at least a great number of these people.
If you're worried about people who do have a clue, then you should
keep your systems up to date.
- have a password changer that checks against a dictionary
- run crack regularly
- banish NIS if at all possible (eg use SSL LDAP)
- keep ahead of security bug fixes
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!