Douglas Royds wrote:
On 4/21/05, Steve Holdoway wrote:
I read a rather good article from some at Mickey$oft about security. He suggested that you give up on the use of passwords altogether. Instead you should use a passphrase. Easy for you to remember, but at 30 or 40 characters, almost impossible to hack.
The bod at Microsoft missed the point. To carry out a brute-force attack, you need to know a user name, then guess the password. To attack a *nix system, I'd choose the user name "root".
That's a pretty poor choice. Which protocol are you going to use for your attack? telnet - not switched on, ftp - disabled for root, ssh - disabled for root.... I was hacked when I stupidly left an oracle account open with an easily guessable password. Didn't do them much good except for getting a copy of /etc/passwd and /etc/shadow, and I had to change all my passwords.
An easy-to-remember form of password is alternate randomly-selected consonants and vowels, e.g. ricinodi. 8 chars made up of 4 consonants and 4 vowels gives 120e6 possibilities, which is rather a lot.
If the log-in mechanism allowed one log-in attempt per second, it would take almost 4 years to cover them. You might get lucky and crack it in a few months. But only if the log-in allowed one attempt per second indefinitely. So this is where Microsoft - and the open source community - can prevent brute-force attack - simply limit the rate at which attempts can be made.
And if I'm attacking in parallel - is that still 1/sec? The login routine includes an exponential increase in delay time for each incorrect password, so it's pointless to try more than once.
And do I need to wait until it's complete until I try again? If I'm using all my (brute) force to get in, I will be doing both.
<prediction>
Laurels are not for resting on, and if we do, then the *nix community will get caught badly. If not this year, then next.
</prediction>
Cheers,
Steve
(Does this footer have any legal standing?)
======================================================================= This email, including any attachments, is only for the intended addressee. It is subject to copyright, is confidential and may be the subject of legal or other privilege, none of which is waived or lost by reason of this transmission. If the receiver is not the intended addressee, please accept our apologies, notify us by return, delete all copies and perform no other act on the email. Unfortunately, we cannot warrant that the email has not been altered or corrupted during transmission. =======================================================================
