Interesting article about Passwords

[ghenry]

http://www.pclinuxonline.com/modules...rder=0&thold=0

Bear in mind that just because your password isn't in English, that you're safe.

I once got into a webcam for fun. It had a public username/pass to view the pictures it took, but had ftp access enabled. Guess what, the same username/pass let you into the camera, then the /etc/passwd file was the old style, i.e. not shadowed and had read access.

A simple download of this, accompanied with John the Ripper and a 80MB dictionary file I made from every language and word available for download, cracked it in 5 mins (it was in French) on a PIII450 and gave me root access.

Why? Just for fun, then I fixed for our admin.

[Jman]

And the worst password of all: password.

Any password that's actually a word will fail to a dictionary attack eventually, no matter what the language.

[perigee]

but if you set password as ''https://www.findyou.info', try this case. One of my friend used to use this method to set the password

Call me paranoid if you like, but my system passwords are a mix of upper case. lower case, special chars and numbers. And all passwords are 16 characters with mandatory changes every 30 days. I wonder how many passwords could be made from those combinations. Heh, I suck at math, anyone know what formula would be used to find this out?

[kosmosik]

I use keys :] to remote systems, my local logins are passwordless since nobody untrusted will login locally anyway...
as for web I let my firefox remember all passwords (randomly generated via apg) and I use master password for it...

[Jman]

Quote:

Originally Posted by greatscot

Call me paranoid if you like, but my system passwords are a mix of upper case. lower case, special chars and numbers. And all passwords are 16 characters with mandatory changes every 30 days. I wonder how many passwords could be made from those combinations. Heh, I suck at math, anyone know what formula would be used to find this out?

Assuming you just used upper and lowercase alphanumeric, it would be 62^16 (26 * 2 + 10, multipled by itself 16 times), which is 47,672,401,706,823,533,450,263,330,816.

Speaking of passwords, I use this nice app for password storage: http://passwordmanager.sourceforge.net/

PwManager saves your passwords blowfish-encrypted in one file, so you have to remember only one master-password to open the master file list instead of remembering tons of passwords. Instead of the master-password you can use a chipcard, so you don't have to remember a password to access the list.

Jman: thanks for that info, that's a lot of combinations.

[THE Ralfinator]

Does anyone know of a wordlist generator for use with John the Ripper? I mean is the only way of having a wordlist to use with it to download one from the internet? Sometimes you remember certain things about the password you forgot, so being able to generate your own wordlist using the things you remember would seem like a good way of doing it.

[Jman]

Quote:

Originally Posted by THE Ralfinator

Does anyone know of a wordlist generator for use with John the Ripper? I mean is the only way of having a wordlist to use with it to download one from the internet? Sometimes you remember certain things about the password you forgot, so being able to generate your own wordlist using the things you remember would seem like a good way of doing it.

If you needed to crack your own passwords yes that would help. It would be a lot more efficient than throwing the dictionary at it. As far as I know you only need a new line delimited file.

[pdb]

Quote:

Originally Posted by THE Ralfinator

Does anyone know of a wordlist generator for use with John the Ripper? I mean is the only way of having a wordlist to use with it to download one from the internet? Sometimes you remember certain things about the password you forgot, so being able to generate your own wordlist using the things you remember would seem like a good way of doing it.

You could also run the downloaded wordlist through a regular expression to get just the words that match what you remember. This would handle simple stuff like "I think it started with either s or t" while still allowing the password cracker to try words that you might not explicitly think to put in a wordlist.

[THE Ralfinator]

Quote:

If you needed to crack your own passwords yes that would help. It would be a lot more efficient than throwing the dictionary at it. As far as I know you only need a new line delimited file.

So is there a program out there that can generate a new line delimited file using the arguments you provide? Things like starting with certain letters, or having a certain amount of characters in it?

Quote:

You could also run the downloaded wordlist through a regular expression to get just the words that match what you remember. This would handle simple stuff like "I think it started with either s or t" while still allowing the password cracker to try words that you might not explicitly think to put in a wordlist.

I agree that method would to a degree, but only if your password is indeed in the wordlist to begin with.

[pdb]

Quote:

Originally Posted by THE Ralfinator

So is there a program out there that can generate a new line delimited file using the arguments you provide? Things like starting with certain letters, or having a certain amount of characters in it?

I agree that method would to a degree, but only if your password is indeed in the wordlist to begin with.

Grep could do it with carefully constructed regular expressions.

[tornadof3]

Quote:

Originally Posted by Jman

Assuming you just used upper and lowercase alphanumeric, it would be 62^16 (26 * 2 + 10, multipled by itself 16 times), which is 47,672,401,706,823,533,450,263,330,816.

To make people feel *even* safer/happier etc etc, if you include special chars eg $ % " * ^ < ? etc etc then that number would go up. A quick count on my keyboard reveals 24 such special chars (prob more)... yielding

(26 * 2 + 10 + 24)^16 = 86^16
= 8,953,136,790,196,197,357,146,289,012,736
~= 8.95 x 10^30

Assuming a crack system could try 5,000,000 combinations per second (optimistic!), that would still take 56,780,421,043,862,236 years to exhaust all combinations via 'brute force'..