>Before you go too far with strong passwords, remember, they do more harm >than good in most cases. You trust your money to a four digit pin so >think about strong authentication, not strong passwords. Two factor can >be done with a variety of inexpensive technologies.
Are you kidding me, you are under the impression that a 4 digit pin is secure? I for one have no illusions about how insecure a 4 digit pin actually is! Whatever security is provided by said 4 digit pin is more related to that fact that there are not freely available pin cracking tools for ATM machines...as there are password cracking tools. >Strong passwords are the number one source of denial of service in most >environments due to the frequent false reject problem that occurs when >users can't keep up with frequent changes and strong password. They're >also one of the highest costs for security since it's the number one >task for help desks and sys admins to support. As a help desk supervisor, I assure you that the related cost of time and money supporting the reset of passwords is minimal and therefore a small price to pay for increased security. ... >In terms of dictionaries, I think the aggressive approach would include >concatenations and number and special character injections into the >words. In more secure environments, were users are battered with monthly >password changes they usually inject the numeric value for the month >somewhere in a common word. But the point is, it's not too difficult to >build a really big database of words with special character and numeric >injections, run them through the hash algorithm and have a table to >check for matches. If someone were in an environment where they must change their password monthly...they are probably using the wrong technology. Perhaps a combination of different layers would be a better solution to monthly changes. ... -----Original Message----- From: Shane Lahey [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 7:38 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: UNIX password auditing tool Alec Muffett Crack :: http://www.crypticide.org/users/alecm/ > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 4:39 PM > To: [EMAIL PROTECTED] > Subject: UNIX password auditing tool > > > > I have tried searches for UNIX password cracking tools and I have come up > with little value. Can someone direct me to passwd auditing tools > besides "John The Ripper" that are free or cost? > > Regards, > James > > ------------------------------------------------------------------------ -- > - > ------------------------------------------------------------------------ -- > -- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
