On Thu, Feb 10, 2005 at 10:51:33AM -0600, Rich Adamson wrote: > There are multiple password guessing tools commonly available on > the Internet. I eval'ed one of the tools and it took five seconds > to guess a password that was five characters in length. It took an > hour to guess a password that was eight characters, and around > twenty-four hours to guess a password that was eight characters made > up of uppercase, lowercase and non-alpha characters (eg, complex). > Regardless, the guessing process is simply how much time does one > want to devote to doing it (eg, what's the return value for spending > the time exploiting a system).
Sorry, not in my tests. I used John the Ripper (http://openwall.com/john/ ), which is a tool for cracking passwords from password files using dictionaries and brute force. The password files had passwords in varrying quality, and cracking time was indeed affected. all-numbers password were guessed almost immidietly. [*] Well-composed passwords of 8 characters were not cracked by brute-force in resonable time. [*] passwords that should be dialed from phones are relatively short and all-numbers. Are they never exposed to the internet? > > It doesn't make much difference whether one exposes telnet or ssh. > Both can be exploited. But, the more complex you make the password, > the more time-consuming and difficult it is to guess it. > > So, if you must expose either telnet or ssh, make your passwords very > long and complex. If your O/S has the capability to lockout the account > after 'xx' failed passwords, then do that. And allow crackers to lock you out. A silly and effective DoS attack. > Automatically resetting the > process after 'y' minutes disrupts the guessing process without the > hacker knowing it, but still allows you access after that auto reset. > Using something like seven failed attempts with a five minute reset > is more then adequate in most cases. -- Tzafrir Cohen | New signature for new address and | VIM is http://tzafrir.org.il | new homepage | a Mutt's [EMAIL PROTECTED] | | best ICQ# 16849755 | Space reserved for other protocols | friend _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
