> ----------
> From: Michael H. Warfield[SMTP:[EMAIL PROTECTED]]
> Sent: 03 June 1999 17:05
> To: [EMAIL PROTECTED]
> Cc: Maurice Hendrix; '@MailingList: Linux-Newbie'
> Subject: Re: Password Encryption
>
> [...] The best you can do is "brute force". Use a lot of horsepower
> and test out candidate passwords by hashing them and comparing the hash
>
[FX: Bells ringing]
Ah, like the "Bovine Algorithm" that was used to crack the RC5-key last
year?
> to the target to be broken. When you get a match, you've broken the
> password. Good passwords are incredibly difficult to break this way.
> Bad passwords fall to brute forcers like "crack", "John the Ripper", or
> "L0phtCrack" (Windows) in minutes. I ran crack on a password file for
> a site I was assisting with an intruder breakin. Out of 200 accounts,
> crack had brute forced over 70 of the passwords in less than two hours,
> and some of them were pretty good (just from looking at them).
>
These will only work if the encryption algorithm is publicly known then. I'm
thinking. If I were to use a different algorithm and didn't tell anybody
what it was ... I could use ROT13 and you wouldn't be able to "crack" it.
Right?
[...]
--
Maurice
