Possible attack? - Security

This is a discussion on Possible attack? - Security ; On Thu, 25 Sep 2008, in the Usenet newsgroup comp.os.linux.security, in article , Unruh wrote: >You might want to use my program wgen which generates "words" based >on a dictionary. It takes the dictionary and calculates the occurance >of the ...

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3
Results 41 to 43 of 43

Thread: Possible attack?

  1. Re: Possible attack?

    On Thu, 25 Sep 2008, in the Usenet newsgroup comp.os.linux.security, in article
    , Unruh wrote:

    >You might want to use my program wgen which generates "words" based
    >on a dictionary. It takes the dictionary and calculates the occurance
    >of the "trigrams-- combinations of three letters, including a double
    >init to indicate the beginning of the word.


    You demonstrated that in one of the Usenet newsgroups some time ago,
    and one of our admins adopted your concept - it's one of the choices
    offered on that handout (there are others, including 'intermingling'
    letters from two or more words, as in CdAoTg). I don't know that we
    can tell what mechanism the individual has chosen to form their
    password. The internal (company) auditors have run something similar
    to John-the-Ripper to see if st00pid passwords are used anywhere. They
    haven't clouded up and crapped all over us, so apparently they're not
    have a significant amount of luck guessing passwords.

    >Throw in a few capitals or even punctuation, and you might get that
    >up to 45 (but it is harder than you think to "throw in random
    >punctuation"..


    Someone has done statistics and found that in those situations
    "requiring" a capital letter, the result is almost always the first
    letter, rarely the second. When punctuation and a digit is required,
    the result is usually a password ending in ".1". Users are somewhat
    predictable. The problem is quite simple - the password has to be
    rememberable - that _USUALLY_ means it has some memory jogger
    characteristics. Being pronounceable is one, being formed from some
    manipulations of words/phrases/what-ever that are themselves
    memorable is another. Unfortunately, it's also true that the most
    common passwords are memorable to a user because the components that
    make up the password (and more often, the password itself) is
    meaningful/related specifically to that user.

    >It is also better to use longer dictionaries (I have one with 400,000
    >words) as it makes rarer combinations more likely.


    [selene ~]$ cat /net/james.webb/downloads/mwords/[0-9u]* | sort -uf | wc -l
    602351
    [selene ~]$

    http://www.dcs.shef.ac.uk/research/ilash/Moby

    Old guy

  2. Re: Possible attack?

    On Fri, 26 Sep 2008, in the Usenet newsgroup comp.os.linux.security, in article
    <48DC9722.7080007@gmail.com>, Nico Kadel-Garcia wrote:

    >Tim Greer wrote:


    >> Moe Trin wrote:


    >>> We _try_ to help our users by having a regular hand-out that shows
    >>> ways to create and remember more difficult passwords - the "n'th
    >>> letter of the words of a phrase/song" seems to be tolerable, and a
    >>> heck of a lot more secure than the phone number of the bookie,
    >>> pizza-joint, or what-ever.


    >> If you have people using a lot of different passwords each, or
    >> several, want them to remain unique, but be secure, then in an
    >> office environment, I always have complex passwords, but simply have
    >> the user keep them in a PGP encrypted file that they would use their
    >> one single complex, yet easily enough to remember, password for
    >> viewing.


    We do suggest this, but primarily that's for "home" use. We use a
    central authentication scheme, so (for example) I have to remember
    four usernames (the normal one, plus three "role" usernames), and
    four authentication tokens. I'm using the ""n'th letter of words"
    style, with recent passwords derived from pre-WW2 Broadway show, movie.
    and period songs - hey, it's something _I_ can remember ;-)

    >>But, of course, there are always problems with trying to get an
    >>office or company full of people to remember passwords and store them
    >>safely.


    especially when people can't see a (direct) reason for all this
    hassle. How soon people forget the (windoze) "Deloader" worm.

    >Heh. I'm remembering a password based on 'The curious incident of the
    >dog in the night-time', where the password owner was talking about
    >the book, and didn't know that it's a famous Sherlock Holmes quote.


    "Sherlock" who??? ;-) I can't even _remember_ when I read that...
    and only vaguely remember the clue Holmes was talking about... wasn't
    that the fact that the dog didn't bark, and Holmes inferred that it
    was the dogs owner or something... Lessee, that was "Silver Blaze"
    according to the local library search engine. A quick search in their
    on-line catalog says that the book ("The memoirs of Sherlock Holmes")
    is currently checked in at the main library down-town... and I also own
    a copy, but it's hidden somewhere in my sister's house on the other
    side of the continent.

    Old guy

  3. Re: Possible attack?

    Moe Trin wrote:
    > On Fri, 26 Sep 2008, in the Usenet newsgroup comp.os.linux.security, in article
    > <48DC9722.7080007@gmail.com>, Nico Kadel-Garcia wrote:


    >> Heh. I'm remembering a password based on 'The curious incident of the
    >> dog in the night-time', where the password owner was talking about
    >> the book, and didn't know that it's a famous Sherlock Holmes quote.

    >
    > "Sherlock" who??? ;-) I can't even _remember_ when I read that...
    > and only vaguely remember the clue Holmes was talking about... wasn't
    > that the fact that the dog didn't bark, and Holmes inferred that it
    > was the dogs owner or something... Lessee, that was "Silver Blaze"
    > according to the local library search engine. A quick search in their
    > on-line catalog says that the book ("The memoirs of Sherlock Holmes")
    > is currently checked in at the main library down-town... and I also own
    > a copy, but it's hidden somewhere in my sister's house on the other
    > side of the continent.


    It's also a famous quote, famous enough to name a book title for it, that is
    an excellent tool in investigating security incidents. I consider it,
    therefore, a relevant quote for this newsgroup. The idea that the systems
    didn't hiccup when interfered with, and that it was therefore an inside job,
    has stood me in good stead over the years.

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3