2007/1/23, Harold Fuchs <[EMAIL PROTECTED]>: > > On Tuesday, January 23, 2007 4:57 PM [GMT+1=CET], > Dan Lewis <[EMAIL PROTECTED]> wrote: > > > Comments inline. > > > > On Tuesday 23 January 2007 9:03 am, James Knott wrote: > >> TerryJ wrote: > >>> Getting off topic, I've belatedly woken up to a major hole in the > >>> "security" about which I'd been smug. > >>> > >>> On the Linux OSs I've used, you need a password by default to log > >>> in. You can drive a truck through that with a live cd. The one > >>> I've got let's you log in as administrator (Linux = root) and > >>> have your evil way with anything and everything on the hard > >>> drive. > > Please specify the live CD that you used to do this. I have a > > live CD of one distribution that will not even recognize the Linux > > partition on the computer at all, and the partition is the same > > distribution as the live CD. > >> > >> Security involves physical security. If someone has physical > >> access, they can do almost anything they want > >> > >>> I'd use top quality software to encrypt a file with some > >>> confidence but OpenOffice is not in that category. The password > >>> might be secure (although there's a password cracker on > >>> www.ooomacros.org) but the encrypting can, it seems, go awry. > > > > Please explain what you mean by the encryption going awry. On > > what basis have you decided that OOo is not in the category of a top > > quality encryption? > > I am skeptical of your claims because I do not know what your > > background is. These claims may be true or they might not be. But > > without collaboration by others, there is no way to tell. > > > > Dan > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > The password cracker macro announces itself as a dictionary attack. It > comes > with these *five* passwords in its (text file) dictionary: > password > Password > PASSWORD > pass word > p4$$ w0rd! > > In addition it points the user at a web site (www.openwall.com) which the > author says is a good source of dictionary files. The site has free > wordlists and also sells a CD with those lists plus a sing wordlist, > implemented as a text file, claimed to have over 40 million entries many > of > which have been generated by taking ordinary words and applying "word > mangling" rules to them (capitalisation, numbers instead of letters > [number > 1 instead of letter l for example] etc. etc.) Seems to me you'd need to > pick > quite a good password to beat that.
Or maybe not. Here are some simple maths: Let's say that the password is 8 letters (mixed capitals/non capitals) separated by a non alpha character. This is a very common way to create passwords. If a word list, against all odds actually contains these words in the correct order with a separator (non alpha character as I said a few words ago), there are quite a few variations that have to be covered. Example: The correct password is made with the words "word" and "book" and separated by a non alpha character. wordbook contains 8 characters. This means that there are 256 different ways to combine capitals with non capitals. wordbook wordbooK wordboOk wordboOK and so on. As I said, there is a also a separator. This can be one of these, and maybe a lot more: 0-9 !"#¤%&/()=?½§ ^"~*'_-:.;,<>|@£$\ Maybe even åäöÅÄÖüïë and so on, but I am not sure these are valid characters for passwords. Without them we have 41 possible characters. This character can be placed in 9 different places: 1wordbook w1ordbook and so on until wordbook1 Finally, 256·41·9=94464 combinations. So, if the list contains 40 millions of entries, this means that we have 40000000/94464=423 unique word combinations. That's not a whole lot, is it? And maybe the correct password is "wORdb6oO9k#", which is not very complicated, but much harder to cover with a list... I tried that macro and I found that the exact phrase must be included in the list, otherwise the macro will fail. If the correct password is word4book, the following list will not help: word book When I added the following line, it macro didn't fail: word4book What I wanted to say is that, if all combinations of capitals and separators is considered, a list of 40 millions of possible passwords is not very much. It's pretty easy to create a password that's not even close to be included in such a list. Sorry for replying almost a year after this subject was "hot"... Johnny Rosenberg I assume it has "passphrases" as well. > Any decent encryption scheme will allow and use pass phrases of virtually > unlimited length (unlike some half baked systems which let you > choose/enter > long passwords but only really use the first 8 or 10 characters). > > If the macro does 100 tries per second, 40 million tries takes about 4.63 > days; 10,000 tries per second brings that down to a little more than an > hour. Of course, "on average" if the thing succeeds at all it'll succeed > after half that time. > > The only real way to defeat a dictionary attack is to destroy the > encrypted > document after <x> failures (x = 3, 5 ?) and hope the attack isn't lucky > within that <x>. One can also delay things considerably by saying "after > <x> > failed attempts you can't try again for <n> minutes". > > The algorithm used to perform the encryption is actually irrelevant. The > only things that matter are the quality of the password and the quality of > the dictionary. More complex algorithms mean each guess (and therefore the > total attack) takes longer but, against a really good dictionary, offer no > more protection than XOR. No that does *not* mean that XOR is as good as > Blowfish. It means XOR is no less susceptible to a dictionary attack than > Blowfish. Blowfish is *much* better against other forms of attack. > > Harold Fuchs > London, England > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
