[Dshield] open source passwd generator needed

Ed Truitt ed.truitt at etee2k.net
Fri Dec 30 14:21:38 GMT 2005


It depends on the hash used.  If you use Windows, and the LANMAN hash is generated, an all-alpha password can be brute-forced in a matter of minutes, due to the characteristics of the hash (all alpha chars are upper-cased before the password is hashed!)

-EdTr
-----Original Message-----
From: Matthias Jänichen <mj2 at percomp.de>
Date: Fri, 30 Dec 2005 14:33:14 
To:General DShield Discussion List <list at lists.dshield.org>
Subject: Re: [Dshield] open source passwd generator needed

At 16:36 29.12.2005 -0500, Wes S wrote:
>I need a password generator since my brain is getting tired of trying
>to come up with passwords.  One that can be configured to produce
>passwords that match password policy in effect would be nice.

That raises an interesting question: "What is a theoretically good PW 
policy regarding PW generation"

Is an eight char password from the set [a-zA-Z0-9](plus some 10 
specials like "$%&") more complex to break than a 9 or 10 char PW 
from only [a-zA-Z]???

Numerics say NO: 52^9 > 72^8

Or is the regular request for special chars only to force users not 
to use readable PWs?

Is a longer password more difficult than a shorter one when you take 
into calculation that only a Hash of it is stored?

The following idea is quite interesting and might solve your problem:
http://www.cryptme.com/e/PaTHwordDescription.asp

if you want to try it:

http://www.savernova.com/cms/16.html

Just view the flash demo and the webcard-Link on the right.

Smart idea, but you are lost, when you loose your card. Not that your 
systems are endangered, but you'll have trouble remenbering your PW yourself.

Even more interesting you can even stick that card next to your PC, 
with out the initial row/column and the "reading method" it is 
worthless to any attacker.

Interested in your comments
Have a nice New Years Eve!

Matthias 

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Cheers,
-E D Truitt

Sent via my BlackBerry from Cingular Wireless



More information about the list mailing list