Re: Why Linux take so long to process username and password?
From: Ender Everett (barfdader_at_flash.net)
Date: 11/27/03
- Next message: James Knott: "Re: Why Linux take so long to process username and password?"
- Previous message: Robert Mazur: "Kernel NULL pointer dereference"
- In reply to: James Knott: "Re: Why Linux take so long to process username and password?"
- Next in thread: James Knott: "Re: Why Linux take so long to process username and password?"
- Reply: James Knott: "Re: Why Linux take so long to process username and password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 27 Nov 2003 01:15:29 GMT
James Knott wrote:
> Ender Everett wrote:
>
>> That is exactly why it takes this long. A machine can try as many
>> combinations of passwords (or userids) as bandwidth and the server speed
>> permits if there is no delay, thus making brute force cracking attempts
>> very easy and practical to do on an untimed security system. This process
>> becomes even easier if the cracker runs through every dictionary word and
>> known name before he starts trying random combinations of characters.
>> With a 3 second delay you go from nearly limitless attempts to just under
>> 28,800 attempts at brute forcing per 24 hours, making this very
>> impractical.
>
> I have also worked with some systems, where after a certain number of
> failed attemps, the ID is blocked for a period of time or even until the
> sysop or admin resets it.
Again, this is just a behaviour that is configured into the system. Yahoo!
mail works this exact way; after 3 tries you have to get a new password
from them. (Kind of corny example, but its the same thing and works pretty
well for their situation.)
This could be inconvenient for a home user, however, and it cannot be done
for root without a backup method -- usually with a live user on site
instead of a networked login of course, which is a whole different cracking
discussion of its own.
Its happened where all you need to DoS a system is to castrate the remote
sysadmin by disabling root's remote login if there's noone around on site
who knows how to do his job. A good example would be when a known sysadmin
is going on a working vacation or other trip and his system is set to
suspend remote logins (including root) that fail three times or whatever.
As soon as he leaves, you kill root's login by spamming it, then login with
a known account of meager priviledge and do whatever without him being able
to fix it.
That's secondary to getting root access yourself and changing the root
password for the duration of his absence of course.
>> A long time ago I used to be pretty good at getting into other people's
>> boxes because there was no timer and I could script the shorter (6 to 8
>> letters) words from a dictionary to be used as a brute force crack key.
>> You'd be amazed how many people feel safe because they spelled a proper
>> English word like "halibut" with substitutions such as "h41i8uT".
>>
>
> I use md5sum to generate my WEP key. I doubt you'd find those keys in any
> dictionary.
You're right, any non-word based string that you further randomize is a
great base for a password. You can also take letter x (or letter x! if its
really famous... there are common poem string passwords included in some
crack libraries now) from every line of a poem or book or whatever and
those are nearly impossible to guess.
-- "Beat your children at least once a day; if you don't know why, they do." -A surprisingly famous guy http://barfdader.com
- Next message: James Knott: "Re: Why Linux take so long to process username and password?"
- Previous message: Robert Mazur: "Kernel NULL pointer dereference"
- In reply to: James Knott: "Re: Why Linux take so long to process username and password?"
- Next in thread: James Knott: "Re: Why Linux take so long to process username and password?"
- Reply: James Knott: "Re: Why Linux take so long to process username and password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
