From: Paul Jakma (paulj at domain itg.ie)
Date: Thu 10 May 2001 - 17:55:45 IST
On Thu, 10 May 2001, ajh wrote:
> value can be found. But brute force attacks like this are pretty
> expensive even when using the standard UNIX crypt() function.
not really... i used to run a password cracker in uni and it would
turn up accounts usually within 5 minutes.. that was on an SGI Indy
with something like a 100MHz R4k CPU. Pentium 133 found them even
weak passwords will be cracked with no effort. the more users -> the
more weak passwords.
and crackers are very sophisticated. if i left it running long enough,
it'd start finding what people might think are tough passwords, eg:
> A lot of distros are also using other encryption methods like md5
> which is even more processor expensive to brute force.
they're not expensive to brute force. they're still vulnerable to
> Having a policy/procedure of regular password changes will solve
no.. people will just rotate through a set of weak passwords. but they
can be useful to make sure dormant accounts can not be accessed.
Solution is check new passwords against a dictionary of words / words
with numerical substitions, as RH has done by default for a while.
(through pam_pwdb i think).
> > Presumably this doesn't matter if I use ssh?...
> Someone could in theory brute force logins using every possible
> combination, but there are always easier ways, especially in a college
> network of getting elevated access.
running a crack programme is something any fool can do... root
exploits generally take a bit more research at least.
i had access to the uni machines for many a month after i left, simply
because of crack - using the accounts it found. had i been in any way
clueful i would never have been found...
there's a hell of lot of clueless folks out there. and by regularly
running crack against your password file / NIS passwd.byname map you
can guard against at least a great number of these people.
If you're worried about people who do have a clue, then you should
keep your systems up to date.
- have a password changer that checks against a dictionary
- run crack regularly
- banish NIS if at all possible (eg use SSL LDAP)
- keep ahead of security bug fixes
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:10:16 GMT