Forwarded from: Jason Burzenski <[EMAIL PROTECTED]>

I recommend users use a personal cryptography system to ensure quality
passwords.  The idea is..  the user chooses a cipher to remember that
will be applied to passwords, and the passwords before they are
ciphered.

For example, if you insist that your password should be iluvlinux for
your email account and ihatelinux for your network logon you might
apply a simple substitution cipher that changes all vowels to h4ck3r
vowels, then pad the password with predetermined special characters
such as a ^ prefix and a ) suffix.  For added strength, any consonants
occurring before the letter N will be capitalized.  The user would
then use ^1LuvL1nux) to access email and ^1H4t3L1nux) for network
logon.

A user only need remember the cipher and a common word/phrase in order
to maintain a set of strong passwords.

This is also helpful in an environment where users insist on writing
their passwords on sticky notes and attaching them to the sides of
their monitors. Finding a list of common words will not allow an
attacker to gain entry without knowing the correct cipher.

If you're truly a genius and you have room in your mind for more then
one cipher, you can associate a cipher with a set of associated
systems.  Have a cipher for work, for personal business, for spam
generating websites, etc.

Its not a cure-all but ^CH4rL13) is still a stronger password then
charlie.

Jason Burzenski, CISSP


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of InfoSec News
Sent: Friday, May 24, 2002 6:30 AM
To: [EMAIL PROTECTED]
Subject: [ISN] Hackers can crack most in less than a minute


http://news.com.com/2009-1001-916719.html?tag=fd_lede

By Rob Lemos
Staff Writer, CNET News.com
May 22, 2002, 4:00 a.m. PT

When a regional health care company called in network protection firm
Neohapsis to find the vulnerabilities in its systems, the
Chicago-based security company knew a sure place to look.

Retrieving the password file from one of the health care company's
servers, the consulting firm put "John the Ripper," a well-known
cracking program, on the case. While well-chosen passwords could take
years--if not decades--of computer time to crack, it took the program
only an hour to decipher 30 percent of the passwords for the nearly
10,000 accounts listed in the file.

"Just about every company that we have gone into, even large
multinationals, has a high percentage of accounts with easily
(cracked) passwords," said Greg Shipley, director of consulting for
Neohapsis. "We have yet to see a company whose employees don't pick
bad passwords."

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.

Reply via email to