Re: Not so much a bug as a warning of new brute force attack
Bill Broadley (broadley@MATH.Ucdavis.EDU)
Mon, 3 Jun 1996 13:21:26 -0700
>
> Brett L. Hawn writes:
> >
> > Given a file full of usernames and the standard 'dict file' one can
> >
> > Solution:
> >
> > Implement random delay times, logging, and disconnection within the pop3
> > daemom
>
>
> Why not just change the system so that it wont accept a dictionary name as
> a valid password. Six to eight characters and at least 1 or 2 numbers
> would make it a little more difficult too.
> The main way to crack password files seems to involve using dictionary
> files (that you can easily get from the net) and using brute force to
> compare the encrypted dictionary words to the encrypted passwords.
> Therefore just dont allow dictionary words as passwords. Although the
> number you can still make your own dictionary files of random characters,
> the percentage of people that would even bother drops big time, IMO.
One or two numbers has little effect on security. Most users use 0,1,9 or
00,11,99. Crack come configured to test for such things, and adding
additional tests is trivial.
--
Bill Broadley Broadley@math.ucdavis.edu UCD Math Sys-Admin
Linux is great. http://ucdmath.ucdavis.edu/~broadley PGP-ok