Re: Not so much a bug as a warning of new brute force attack
Thayne Forbes (thayne@xmission.com)
Tue, 4 Jun 1996 08:26:59 -0600
> On Mon, 3 Jun 1996, Brett L. Hawn wrote:
> > You can lead a user to a good password but you can only make them use it for
> > so long.
> What about a fascist passwd program which refers to a dictionary and
> rejects "easy" passwords? Does such an animal exist?
There are about a dozen of such animals. In fact, there is one in 'Programming
Perl' as example code. Npasswd and passwd+ both do this if I recall correctly.
> > Not to mention anyone with the time and desire can create a fairly
> > nifty 'dictfile' like I did a few years back. All it takes is some simple
> > brain power and a LOT of disk space, a quick file that prints all variations
> > of 5-8 charater length combinations to a file. I stopped mine at 238megs and
> > it was still going strong.
>
> I think this one comes under the heading of "brute force attack" - just
> with alphanumerics (a-z,A-Z,0-9) you're looking at needing 62^8 entries
> for a complete set of 8 character passwords. It's probably faster to try
> and decrypt the passwd file entry directly.
But maybe you have missed the point. If all you need to do is crack ANY account
on a system, then a dictionary of about 20,000 words and about 100 rules is
enough.[1] You can do this on a PeeCee in a couple of hours. There IS a point
of diminishing returns when we constrain the passwords of users, but allowing
them to use ANY silly password that crosses their mind is something that ought
to be illegal.
[1] On systems with no passwd rules for users, I usually get one crack on
/usr/dict/words, with no permutations applied.