password strength checking not consistently implemented
Terry Lambert
tlambert2 at mindspring.com
Fri Aug 15 23:44:29 PDT 2003
"Gary W. Swearingen" wrote:
> I'd think that that would depend on the people choosing passwords and
> whether the cracker is going after one particular user or just any one
> of many. I'd expect it, on average, to take a lot less long if you
> start your search well: "password", "drowssap", etc.
>
> (I guess it makes sense that "A. Hacker" WOULD try to discourage
> password strength checking. :)
>
> This reminds me of the guy who insisted on setting his lock with truly
> random numbers and his truly random number generator spit out 0, 0, 0
> (or whatever the factory default was).
You're assuming that everyone uses dictionary attacks, which is
really not true these days.
Actually, thanks to strength-checkers, most crackers have switched
to brute-force, since dictionary attacks no longer work. For some
definitions of "strength checking", they can also ignore the search
space where passwords contain all alphabetic characters.
In general, they pick an account and brute force the password for a
single account (or all accounts with a given salt).
This begs the question of how, if you aren't running NIS, they got
access to your shadow password file in the first place.
-- Terry
More information about the freebsd-chat
mailing list