Re: Not so much a bug as a warning of new brute force attack
Brett L. Hawn (blh@nol.net)
Mon, 3 Jun 1996 14:49:03 -0500
On Mon, 3 Jun 1996, Aaron Merifield wrote:
> Why not just change the system so that it wont accept a dictionary name as
> a valid password. Six to eight characters and at least 1 or 2 numbers
> would make it a little more difficult too.
> The main way to crack password files seems to involve using dictionary
> files (that you can easily get from the net) and using brute force to
> compare the encrypted dictionary words to the encrypted passwords.
> Therefore just dont allow dictionary words as passwords. Although the
> number you can still make your own dictionary files of random characters,
> the percentage of people that would even bother drops big time, IMO.
You can lead a user to a good password but you can only make them use it for
so long. Not to mention anyone with the time and desire can create a fairly
nifty 'dictfile' like I did a few years back. All it takes is some simple
brain power and a LOT of disk space, a quick file that prints all variations
of 5-8 charater length combinations to a file. I stopped mine at 238megs and
it was still going strong.
Brett