On Fri, April 22, 2005 9:53 am, Douglas Royds said: > Steve Holdoway wrote: >> Douglas Royds wrote: >>> If the log-in mechanism allowed one log-in attempt per second, it >>> would take almost 4 years to cover them. You might get lucky and crack >>> it in a few months. But only if the log-in allowed one attempt per >>> second indefinitely. So this is where Microsoft - and the open source >>> community - can prevent brute-force attack - simply limit the rate at >>> which attempts can be made. >> >> And if I'm attacking in parallel - is that still 1/sec? The login >> routine includes an exponential increase in delay time for each >> incorrect password, so it's pointless to try more than once. > > Which log-in routine, sorry? I'd hope that all of your authentication went through pam, so any! http://www.vsl.gifu-u.ac.jp/freeman/misc/pam-0.72/ps/pam_appl.ps > >> And do I need to wait until it's complete until I try again? If I'm >> using all my (brute) force to get in, I will be doing both. > > Both which? Both attacking in parallel and not waiting for a response. And, of course, attacking on ssh, http, dns, snmp, smtp, and all the other services that you may have running concurently as well. > >> (Does this footer have any legal standing?) > > Enough about the footer, thanks. > > Douglas. >
... the average md5 password can be cracked in 30ms... http://linuxexposed.com/Articles/Hacking/Password-Cracking-and-Time-Memory-Trade-Off.html http://www.linuxexposed.com/Articles/Hacking/Unix-Attacking-Techniques.html http://www.antsight.com/zsl/rainbowcrack/ Just to get started - and this is just the published stuff. I'm no expert, but I guarantee I'll be getting *lots* more than 1 attempt / second! ( Not that I have the slightest interest in proving it ) Steve. -- Windows: Where do you want to go today? MacOS: Where do you want to be tomorrow? Linux: Are you coming or what?
