A couple of notes: > * Target related (if the site is Yoyodyne, try "yoyodyne")
While I appreciate this is just an example, please do not try this at home. Yoyodyne is not an entity to be trifled with. > * Drug the user and hit him with a $5 wrench until he tells you the password Wrenches of other values also have varying degrees of success. -sc > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Thursday, August 18, 2011 2:41 PM > To: NT System Admin Issues > Subject: Re: Almost, but not quite OT: Passwords > > On Thu, Aug 18, 2011 at 2:16 PM, Hilderbrand, Doug > <[email protected]> wrote: > > ... short and complex versus long password issue. I use long teens and > > twenties long character passwords at work with upper/lower case, > > numbers and punctuation. > > Broadly speaking, increasing the size of a password is usually more useful > than increasing the complexity (entropy per character). There are multiple > things at work: Humans generally find it easier to remember words than > characters. Brute force, rainbow tables, dictionaries, and other such attacks > increase in cost as you increase overall length. Combine the two and length > is the winner. You also have various algorithmic accidents (such as the > infamous NTLM two-part password hash thing) that usually mean longer is > better in the event of a compromised hash. > > > If guessing a password doesn't work, brute force is all that's left. > > There are quite a few different ways to attack passwords. > > * Universally common passwords ("password", "12345", etc.) > * Common password patterns (dates, SSNs, etc.) > * Target related (if the site is Yoyodyne, try "yoyodyne") > * User related (try user's favorite car, local sports team, etc.) > * Various common word lists (words from popular fiction, computers, > profanity) > * English words in general > * Steal passwords for another site and try them elsewhere > * Man-in-the-middle > * Compromise the user's computer and sniff keystrokes > * Compromise the user's password vault > * Compromise the security of the target system > * Bribe people who work at the target entity > * Drug the user and hit him with a $5 wrench until he tells you the password > * Brute force (try every possible password, in sequential order) > > And those are just the most ones I could think of right now. :) > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt- > software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
