good/bad passwords question

Proteus <proteus@uselessemail.net> writes:

> On Thu, 24 Nov 2005 01:31:49 +0000, Unruh wrote:
> ..
> > No it is NOT a huge search. The total number of words of 6 or fewer letters
> > is only about 2 times the number of words of length 6. say about 40000
> > words in my 300000 word dictionary. That is trivial to search through, not by hand of course but by
> > computer.
> > ..
>
> Amazing, it nows seems not strange at all that so many people have their
> systems hacked (cracked) into, given that lots of people likely just use
> dictionary words or combinations of dict words.

Thinking aloud: Such an attack can only work if the system is open
for remote login to start with - or?

--
================================================== ======================
Martin Schöön <Martin.Schoon@gmail.com>

"Problems worthy of attack
prove their worth by hitting back"
Piet Hein
================================================== ======================

On Thu, 24 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
<pan.2005.11.24.14.22.34.584959@uselessemail.net >, Proteus wrote:

>Amazing, it nows seems not strange at all that so many people have their
>systems hacked (cracked) into, given that lots of people likely just use
>dictionary words or combinations of dict words.

Most of the distributions I've used in the past ten years had some form of
password Nazi, sometimes a special passwd application, sometimes just a
plugin to PAM, that restricted what a user could have as a password. Do a
'grep' for 'passwd' in the LSM file at a sunsite mirror, and you'd find a
number of them, such as

Begin3
Title: npasswd_boulder+l-src
Version: N/A
Entered-date: May 1, 1995
Description: A replacement passwd(8) program with reasonably strict
checking of user passwords for added security against
dictionary attacks. Source package. Only minor changes
from the original source were necessary for Linux.
Keywords: security password
Author: Many and various. Linux port by cmetz@inner.net (Craig Metz).
Primary-site: sunsite.unc.edu /pub/Linux/system/Admin/accounts
npasswd_boulder+l-src.tar.gz
Platforms: Many UNIX platforms.
Copying-policy: GPL
End

Look at the documentation for PAM, and you'll find a lot more tricks.

Old guy

On 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
<s5zfypli35m.fsf@gmail.com>, Schöön Martin wrote:

>Thinking aloud: Such an attack can only work if the system is open
>for remote login to start with - or?

Basically correct - but this also deals with situations where the
attacker has access to the keyboard. In MOST cases, if the attacker
can reboot the system, all bets are off ("Physical Access beats five
aces _every_time_), but many systems default to a configuration where
entering multiple bad passwords for a specific user in a set amount of
time (or some similar circumstance) results in the system delaying
response (maybe taking 10 seconds to return that "Login incorrect"
message). But I've seen anonymous FTP servers kick into a delay mode
when the user screws up entering the username and password.

Old guy

On Thu, 24 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
<pan.2005.11.24.16.57.59.705738@somewhere.com>, John wrote:

>Just a suggestion - check out "apg".

First hit at google for the words 'apg password generator' turns it up.
Doesn't look as if it's being actively developed (last release appears
to be September 2003), but I suspect that there isn't that much more
that can be developed. If you are really hard-nosed about password
security, there might be a minor disadvantage of the regularity of the
construct of a pronounceable word (often, alternating consonant - vowel
pattern), but the whole idea here is that this type of tool significantly
increases the range of "usable" words.

>You can combine 2 or more of these into a password that is pretty good and
>also easy to remember.

which has always been a good method even with dictionary words

>Or separate the pronouncable components with punctuation characters for
>more complexity.

Even better - again, some password monitoring tools such as the module
included in PAM can be set to require mixed case, a digit or two, and
punctuation, in addition to a minimum length.

Old guy