RE: UNIX password auditing tool and the search for dictionaries too
It's interesting that you think the cost of resets are minimal. Are yours automated in some way?Almost all the companies that I talk to say it is 30-40% of all calls. Only one company knew what the cost per call was, but all agreed with the Gartner estimate of $15-25 per. Gartner will also tell you that on average employees call 4-5 times per year, making passwords cost $60-100 per user per year. While that may be worth the extra security, there are cheaper solutions. Here is a recent article about passwords: http://www.scmagazine.com/scmagazine/2003_06/cover/index.html Another issue that many companies have is remote users locked out after hours or on the weekends because they don't have a 24x7 helpdesk. Few companies, though want to implement the "20 questions" password reset automation software, since most of them are big honking implementations. I think the point re: 4 digit PINs is suggesting strong authentication. However, to equate an ATM system to an IT system is tough. There are a lot of different implications/costs/benefits. The PIN attack as reported in The Register was against ATM hardware security modules (I didn't actually read the paper, just the article). So, it shouldn't apply to an IT system. However, there is a different attack against fixed length one-time passcodes:http://www.tux.org/pub/security/secnet/papers/secureid.pdf. So a system with variable one-time passcode lengths and 4 digit PINs may be more secure than a 6 digit pin and a 6 digit passcode. Nick -- Nick Owen CEO WiKID Systems, Inc. 404-879-5227 [EMAIL PROTECTED] http://www.wikidsystems.com The End of Passwords -- > -Original Message- > From: Michael Martinez [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 07, 2003 4:49 PM > To: [EMAIL PROTECTED] > Subject: RE: UNIX password auditing tool and the search for dictionaries > too > > > >Before you go too far with strong passwords, remember, they do more > harm > >than good in most cases. You trust your money to a four digit pin so > >think about strong authentication, not strong passwords. Two factor can > >be done with a variety of inexpensive technologies. > > Are you kidding me, you are under the impression that a 4 digit pin is > secure? I for one have no illusions about how insecure a 4 digit pin > actually is! Whatever security is provided by said 4 digit pin is more > related to that fact that there are not freely available pin cracking > tools for ATM machines...as there are password cracking tools. > > >Strong passwords are the number one source of denial of service in most > >environments due to the frequent false reject problem that occurs when > >users can't keep up with frequent changes and strong password. They're > >also one of the highest costs for security since it's the number one > >task for help desks and sys admins to support. > > As a help desk supervisor, I assure you that the related cost of time > and money supporting the reset of passwords is minimal and therefore a > small price to pay for increased security. > > ... > > >In terms of dictionaries, I think the aggressive approach would include > >concatenations and number and special character injections into the > >words. In more secure environments, were users are battered with > monthly > >password changes they usually inject the numeric value for the month > >somewhere in a common word. But the point is, it's not too difficult to > >build a really big database of words with special character and numeric > >injections, run them through the hash algorithm and have a table to > >check for matches. > > If someone were in an environment where they must change their password > monthly...they are probably using the wrong technology. Perhaps a > combination of different layers would be a better solution to monthly > changes. > > ... > > -Original Message- > From: Shane Lahey [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 7:38 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: UNIX password auditing tool > > Alec Muffett Crack :: http://www.crypticide.org/users/alecm/ > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Monday, August 04, 2003 4:39 PM > > To: [EMAIL PROTECTED] > > Subject: UNIX password auditing tool > > > > > > > > I have tried searches for UNIX password cracking tools and I have come > up > > with little value. Can someone direct me to passwd auditing tools > > besides "John The Ripper" that are free or cost? > > > > Regards, > > James > > > > > > -- > > - > > > > -- > > -- > > > > > --- > > > > > > --- > > > > > -- > - > -- > -- > > ---
Re: UNIX password auditing tool and the search for dictionaries too
In terms of this comment to whoever posted it (sorry, I don't remember who it was): > >Strong passwords are the number one source of denial of service in most > >environments due to the frequent false reject problem that occurs when > >users can't keep up with frequent changes and strong password. They're > >also one of the highest costs for security since it's the number one > >task for help desks and sys admins to support. How is it a high cost for security??? I've always found having someone come down and asking for their id and some other mode of face to face identification makes it pretty easy to reset someone's password. If you simply take advantage of all that garbage they pull on a lot of websites, like your security question is what's your mother's maiden name, you can get around them showing you a fake id...yeah, there are ways of finding out someone's info, but nothing is secure. It's the foundation of your plan that guides your performance. In terms of your dos attack, i might be misreading your question, but strong passwords being dos'd or brute forced (if you consider a really fast brute force attack a dos; i don't, but some do), a lot of places will put a piece of crap machine as their password authentication for their network. yeah, you may have a lot of people logging on and may get periodically bogged down, but you need to find the right machine that'll cause the correct amount of lag. say for a "normal" company (my idea, not necessarily yours) you have 200 people. probably, on average they log on maybe 2-3 times/day...some only once, some maybe 10 times, and those on vacation never...so give them 3 times/day. if you have a fast machine doing password checks and it takes only a second for the logon sequence (password verification), it'll be about 600 seconds or 10 min (200 people x 3 logons/day x 1 sec)...theoretically, of course. if i want to brute force the machine i can do 60/sec. take a crap machine, stable mind you just a slower processor, that takes 10 seconds to verify a password and you've dropped to 6 attempts/sec. Yeah, you do go from 10 min/day of verification to 50 min (if my math is correct) so that's something you need to consider when you think about if it's worth it or not...after finding a reasonable value, it is to me. You could consider it an easier target for dos b/c it's much slower, but then again, you also have to take into consideration this...if you're gonna try to get in using someone's password, why would you attack a crap machine that's exceptionally slow...i'd just stand behind them while they type in their password. i might've missed part of your statement, so if i did...i apologize. after reading your statement, one more thing...if strong password authentication causes a lot of dos b/c people are trying to logon constantly w/the wrong password b/c of password changes, why are you even letting them attempt to logon so many times? if a person mistypes their password 3-5 times, the account should either be deactivated until that person comes and gets you or for a certain number of minutes. print a nice pretty message to the user that this has happened and send yourself a note also so you can go find them if need be. there are holes to that one just like anything (i.e. your boss doesn't like it), but like i said before, nothing's really perfect. if dos'ing occurs b/c people keep entering the wrong password, that's more your fault than theirs. out of curiosity, where did you find it saying that dos is the number one problem w/strong passwords??? adam Adam Newhard Microstrain, Inc. If vegetarians eat vegetables, watch out for humanitarians - Original Message - From: "Michael Martinez" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 07, 2003 4:48 PM Subject: RE: UNIX password auditing tool and the search for dictionaries too > >Before you go too far with strong passwords, remember, they do more > harm > >than good in most cases. You trust your money to a four digit pin so > >think about strong authentication, not strong passwords. Two factor can > >be done with a variety of inexpensive technologies. > > Are you kidding me, you are under the impression that a 4 digit pin is > secure? I for one have no illusions about how insecure a 4 digit pin > actually is! Whatever security is provided by said 4 digit pin is more > related to that fact that there are not freely available pin cracking > tools for ATM machines...as there are password cracking tools. > > >Strong passwords are the number one source of denial of service in most > >environments due to the frequent false reject problem that occurs when > &g
RE: UNIX password auditing tool and the search for dictionaries too
On Sat, 9 Aug 2003, Tomas Wolf wrote: > I would like to note a little about the security of 4 digit pin... I > believe that author wanted to point out that thanks to the fact, that > you can't try the 4 digit number more than three times at a time - which > makes it a pretty strong system, not that 4 digit is a strong password. I saw a paper a few months back that claimed you'd need something like 15-24 tries to get a password, due to problems with the PIN algorythm. Oh, and insider access. Very minor detail :D http://www.theregister.co.uk/content/55/29425.html actual paper link is at: http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf Mike ---
RE: UNIX password auditing tool and the search for dictionaries too
Please pardon me if this has already been covered in this thread, I didn't see the earlier posts on the subject. First the PIN algorithm is widely known and there really is no need for much of a PIN cracker program. Like DES the algorithm is published but the keys are kept secret. If an institution uses a simplistic key, which some do, then it is trivial to derive the natural PIN. However most systems don't use the natural PIN but create an offset that is mod 10 added to the natural PIN to create the number that you remember and don't write down anywhere. Bruteforce is handled in one of two ways on almost all ATM systems. On a "track 3 write" system the PIN retry count is decremented and written onto the card so it counts down and when it hits 0 the bank has the option to perform a card retain or just give it back to you with instructions to go into the bank and take care of the problem. The second method simply records the retry count at the host and the same retain/return decision is made when the retry count is exceeded. Either way there is no bruteforce available beyond three tries. Now if you have a card writer and can keep resetting the retry count or bump it up to 99 to start with you have a slightly greater advantage. You have to properly calculate the LRC on the card too without fudging up the data and having the modified card retained on the first insertion. Thank you, Tim Heagarty CISSP, MCSE Tim at TheaSecure dot com http://www.TheaSecure.com/ "There are only 10 kinds of people in the world, those that understand binary, and those that don't." > -Original Message- > From: Tomas Wolf [mailto:[EMAIL PROTECTED] > Sent: Saturday, August 09, 2003 4:04 AM > To: Michael Martinez > Cc: [EMAIL PROTECTED] > Subject: RE: UNIX password auditing tool and the search for > dictionaries too > > > I would like to note a little about the security of 4 digit > pin... I believe that author wanted to point out that thanks > to the fact, that you can't try the 4 digit number more than > three times at a time - which makes it a pretty strong > system, not that 4 digit is a strong password. > Of course who has the time, can go from ATM to ATM and try > two passwords at the time to bruteforce it, but that is > almost impossible to achieve (since anybody responsible who > looses any type of financial card usualy reports it the same > day). We have four digits with possible ten variants = 10 on > the fourth power = 10.000 possibilities that is (divided by > two tries per card insertion) 5.000 maximum tries, which > gives us 2.500 average tries to get the right pin (approx. > 1.250 card insertion of two tries)... And let's get the > theory little further, let say that each insertion takes 15 > seconds, that is 1.250x15 = 18.750 second = 312.5 minutes = > 5.208~ hrs. of actuall interaction with ATM... Well maybe for > a student :-) I believe that security is always a trade off. > To have top noch security one has to count with a lot of > expenses with training people to understand and use the craft > of security. Not many end users a willing to authenticate > more than one time, they need to work and not to worry about > IT stuff, that is why we are here, or am I wrong? But there > is always more, isn't there? :-) > > Good luck to you all... > Tomas > > > > >Before you go too far with strong passwords, remember, they do more > > harm > > >than good in most cases. You trust your money to a four > digit pin so > > >think about strong authentication, not strong passwords. > Two factor > > >can be done with a variety of inexpensive technologies. > > > > Are you kidding me, you are under the impression that a 4 > digit pin is > > secure? I for one have no illusions about how insecure a 4 > digit pin > > actually is! Whatever security is provided by said 4 digit pin is > > more related to that fact that there are not freely available pin > > cracking tools for ATM machines...as there are password cracking > > tools. > > > > >Strong passwords are the number one source of denial of service in > > >most environments due to the frequent false reject problem that > > >occurs when users can't keep up with frequent changes and strong > > >password. They're also one of the highest costs for security since > > >it's the number one task for help desks and sys admins to support. > > > > As a help desk supervisor, I assure you that the related > cost of time > > and money supporting the reset of passwords is minimal and > therefore a > > small price to pay for increased security. > > > > ... > > &
RE: UNIX password auditing tool and the search for dictionaries too
He means DoS in the sense that the person doesn't know their password, and can't access the passworded resource, silly. Thus, an allowed person is Denied the Service of a resource. Nobody (ok, almost nobody) is actually worried about an overloaded Password Machine. As far as standing behind people entering their passwords, be careful. You are liable to get slapped. badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg -Original Message- From: Adam Newhard [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 3:42 PM To: [EMAIL PROTECTED] Subject: Re: UNIX password auditing tool and the search for dictionaries too In terms of this comment to whoever posted it (sorry, I don't remember who it was): > >Strong passwords are the number one source of denial of service in most > >environments due to the frequent false reject problem that occurs when > >users can't keep up with frequent changes and strong password. They're > >also one of the highest costs for security since it's the number one > >task for help desks and sys admins to support. How is it a high cost for security??? I've always found having someone come down and asking for their id and some other mode of face to face identification makes it pretty easy to reset someone's password. If you simply take advantage of all that garbage they pull on a lot of websites, like your security question is what's your mother's maiden name, you can get around them showing you a fake id...yeah, there are ways of finding out someone's info, but nothing is secure. It's the foundation of your plan that guides your performance. In terms of your dos attack, i might be misreading your question, but strong passwords being dos'd or brute forced (if you consider a really fast brute force attack a dos; i don't, but some do), a lot of places will put a piece of crap machine as their password authentication for their network. yeah, you may have a lot of people logging on and may get periodically bogged down, but you need to find the right machine that'll cause the correct amount of lag. say for a "normal" company (my idea, not necessarily yours) you have 200 people. probably, on average they log on maybe 2-3 times/day...some only once, some maybe 10 times, and those on vacation never...so give them 3 times/day. if you have a fast machine doing password checks and it takes only a second for the logon sequence (password verification), it'll be about 600 seconds or 10 min (200 people x 3 logons/day x 1 sec)...theoretically, of course. if i want to brute force the machine i can do 60/sec. take a crap machine, stable mind you just a slower processor, that takes 10 seconds to verify a password and you've dropped to 6 attempts/sec. Yeah, you do go from 10 min/day of verification to 50 min (if my math is correct) so that's something you need to consider when you think about if it's worth it or not...after finding a reasonable value, it is to me. You could consider it an easier target for dos b/c it's much slower, but then again, you also have to take into consideration this...if you're gonna try to get in using someone's password, why would you attack a crap machine that's exceptionally slow...i'd just stand behind them while they type in their password. i might've missed part of your statement, so if i did...i apologize. after reading your statement, one more thing...if strong password authentication causes a lot of dos b/c people are trying to logon constantly w/the wrong password b/c of password changes, why are you even letting them attempt to logon so many times? if a person mistypes their password 3-5 times, the account should either be deactivated until that person comes and gets you or for a certain number of minutes. print a nice pretty message to the user that this has happened and send yourself a note also so you can go find them if need be. there are holes to that one just like anything (i.e. your boss doesn't like it), but like i said before, nothing's really perfect. if dos'ing occurs b/c people keep entering the wrong password, that's more your fault than theirs. out of curiosity, where did you find it saying that dos is the number one problem w/strong passwords??? adam Adam Newhard Microstrain, Inc. If vegetarians eat vegetables, watch out for humanitarians ----- Original Message ----- From: "Michael Martinez" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 07, 2003 4:48 PM Subject: RE: UNIX password auditing tool and the search for dictionaries too > >Before you go too far with strong passwords, remember, they do more > harm > >than good in most cases. You trust your money to a four digit pin so > >think about
RE: UNIX password auditing tool and the search for dictionaries too
>Before you go too far with strong passwords, remember, they do more harm >than good in most cases. You trust your money to a four digit pin so >think about strong authentication, not strong passwords. Two factor can >be done with a variety of inexpensive technologies. Are you kidding me, you are under the impression that a 4 digit pin is secure? I for one have no illusions about how insecure a 4 digit pin actually is! Whatever security is provided by said 4 digit pin is more related to that fact that there are not freely available pin cracking tools for ATM machines...as there are password cracking tools. >Strong passwords are the number one source of denial of service in most >environments due to the frequent false reject problem that occurs when >users can't keep up with frequent changes and strong password. They're >also one of the highest costs for security since it's the number one >task for help desks and sys admins to support. As a help desk supervisor, I assure you that the related cost of time and money supporting the reset of passwords is minimal and therefore a small price to pay for increased security. ... >In terms of dictionaries, I think the aggressive approach would include >concatenations and number and special character injections into the >words. In more secure environments, were users are battered with monthly >password changes they usually inject the numeric value for the month >somewhere in a common word. But the point is, it's not too difficult to >build a really big database of words with special character and numeric >injections, run them through the hash algorithm and have a table to >check for matches. If someone were in an environment where they must change their password monthly...they are probably using the wrong technology. Perhaps a combination of different layers would be a better solution to monthly changes. ... -Original Message- From: Shane Lahey [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 7:38 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: UNIX password auditing tool Alec Muffett Crack :: http://www.crypticide.org/users/alecm/ > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 4:39 PM > To: [EMAIL PROTECTED] > Subject: UNIX password auditing tool > > > > I have tried searches for UNIX password cracking tools and I have come up > with little value. Can someone direct me to passwd auditing tools > besides "John The Ripper" that are free or cost? > > Regards, > James > > -- > - > -- > -- --- --- ---
RE: UNIX password auditing tool and the search for dictionaries too
Before you go too far with strong passwords, remember, they do more harm than good in most cases. You trust your money to a four digit pin so think about strong authentication, not strong passwords. Two factor can be done with a variety of inexpensive technologies. Strong passwords are the number one source of denial of service in most environments due to the frequent false reject problem that occurs when users can't keep up with frequent changes and strong password. They're also one of the highest costs for security since it's the number one task for help desks and sys admins to support. It's important to understand that most password attacks are not cracking the password encryption or hashes. In fact, that's still a very difficult task. The common password exploit on weak passwords is to run a large dictionary through the selected hash algorithm and then simple look up the captured hash values in the dictionary. A recent U of M exploit was a simple, inline keystroke logger. For the social engineer or thief, most desktops come with files on the desktop of passwords - beats the old post-it-note problem since most users simply have too many passwords for a single sheet of paper to work. The problem with weak passwords is mostly about using a weak handshaking, passing simple hashes rather than well encrypted passwords and keeping hash values accessible. In terms of dictionaries, I think the aggressive approach would include concatenations and number and special character injections into the words. In more secure environments, were users are battered with monthly password changes they usually inject the numeric value for the month somewhere in a common word. But the point is, it's not too difficult to build a really big database of words with special character and numeric injections, run them through the hash algorithm and have a table to check for matches. Dictionaries should also be modified for upper and lower case variations. I'd like to hear from others about the password vulnerabilities they're seeing in non NT server environments. "strong passwords are an oxymoron" KWK -Original Message- From: Shane Lahey [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 7:38 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: UNIX password auditing tool Alec Muffett Crack :: http://www.crypticide.org/users/alecm/ > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 4:39 PM > To: [EMAIL PROTECTED] > Subject: UNIX password auditing tool > > > > I have tried searches for UNIX password cracking tools and I have come up > with little value. Can someone direct me to passwd auditing tools > besides "John The Ripper" that are free or cost? > > Regards, > James > > -- > - > -- > -- --- ---
RE: UNIX password auditing tool and the search for dictionaries too
I would like to note a little about the security of 4 digit pin... I believe that author wanted to point out that thanks to the fact, that you can't try the 4 digit number more than three times at a time - which makes it a pretty strong system, not that 4 digit is a strong password. Of course who has the time, can go from ATM to ATM and try two passwords at the time to bruteforce it, but that is almost impossible to achieve (since anybody responsible who looses any type of financial card usualy reports it the same day). We have four digits with possible ten variants = 10 on the fourth power = 10.000 possibilities that is (divided by two tries per card insertion) 5.000 maximum tries, which gives us 2.500 average tries to get the right pin (approx. 1.250 card insertion of two tries)... And let's get the theory little further, let say that each insertion takes 15 seconds, that is 1.250x15 = 18.750 second = 312.5 minutes = 5.208~ hrs. of actuall interaction with ATM... Well maybe for a student :-) I believe that security is always a trade off. To have top noch security one has to count with a lot of expenses with training people to understand and use the craft of security. Not many end users a willing to authenticate more than one time, they need to work and not to worry about IT stuff, that is why we are here, or am I wrong? But there is always more, isn't there? :-) Good luck to you all... Tomas > >Before you go too far with strong passwords, remember, they do more > harm > >than good in most cases. You trust your money to a four digit pin so > >think about strong authentication, not strong passwords. Two factor can > >be done with a variety of inexpensive technologies. > > Are you kidding me, you are under the impression that a 4 digit pin is > secure? I for one have no illusions about how insecure a 4 digit pin > actually is! Whatever security is provided by said 4 digit pin is more > related to that fact that there are not freely available pin cracking > tools for ATM machines...as there are password cracking tools. > > >Strong passwords are the number one source of denial of service in most > >environments due to the frequent false reject problem that occurs when > >users can't keep up with frequent changes and strong password. They're > >also one of the highest costs for security since it's the number one > >task for help desks and sys admins to support. > > As a help desk supervisor, I assure you that the related cost of time > and money supporting the reset of passwords is minimal and therefore a > small price to pay for increased security. > > ... > > >In terms of dictionaries, I think the aggressive approach would include > >concatenations and number and special character injections into the > >words. In more secure environments, were users are battered with > monthly > >password changes they usually inject the numeric value for the month > >somewhere in a common word. But the point is, it's not too difficult to > >build a really big database of words with special character and numeric > >injections, run them through the hash algorithm and have a table to > >check for matches. > > If someone were in an environment where they must change their password > monthly...they are probably using the wrong technology. Perhaps a > combination of different layers would be a better solution to monthly > changes. > > ... > > -Original Message- > From: Shane Lahey [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 7:38 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: UNIX password auditing tool > > Alec Muffett Crack :: http://www.crypticide.org/users/alecm/ > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Monday, August 04, 2003 4:39 PM > > To: [EMAIL PROTECTED] > > Subject: UNIX password auditing tool > > > > > > > > I have tried searches for UNIX password cracking tools and I have come > up > > with little value. Can someone direct me to passwd auditing tools > > besides "John The Ripper" that are free or cost? > > > > Regards, > > James > > > > > > -- > > - > > > > -- > > -- > > > > > --- > > > > > > --- > > > > > --- > > ---
