|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: "Proactive" Password Checking
Moore, James (James.Moore
MSFC.NASA.GOV)
Wed, 17 Nov 1999 12:30:22 -0600
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Neil Ratzlaff: "RE: Newspaper Article about Cable Modem security / Solutions?"
- Previous message: Joseph S D Yao: "Re: Is this for real"
- Next in thread: Matt Carothers: "RE: "Proactive" Password Checking"
- Reply: Matt Carothers: "RE: "Proactive" Password Checking"
Amen, brother.
The only thing I'd add to Russ' comments are that passfilt.dll's activities
must be constrained to assure the server does not get bogged down doing
extensive dictionary searches/trial-and-error crack attempts... I still feel
this belongs on the "back end". PDCs have more to do than pound on
passwords.
Jim Moore
256.461.4381
----------- PGP PUBLIC KEY FINGERPRINT ------------
1D9C 3AC3 34E6 EEDF 22B9 7886 7797 6908 048F 049B
---------------------------------------------------
> -----Original Message-----
> From: Russ [SMTP:Russ.Cooperrc.on.ca]
> Sent: Wednesday, November 17, 1999 11:54 AM
> To: 'Moore, James'; firewall-wizardslists.nfr.net
> Subject: RE: "Proactive" Password Checking
>
> One more note about passfilt.dll (with the caveat that I am not a
> programmer
> and could not code what I propose).
>
> Passfilt.dll is an application, and as such, can do anything an off-line
> cracker can do. So in addition to supplying it with guidance rules as to
> what should be in a "decent" password, there's absolutely no reason why
> passfilt.dll could not take the proposed password (which it receives in
> plaintext) and pass it through as many dictionaries one might deem
> appropriate. If there's a match, or partial match, the password can be
> rejected on that basis in addition to, or instead of, the guidance rules.
>
> Taking a plaintext and looking it up for "like" matches in on-line
> dictionaries of whatever size appropriate should make it reasonably
> impervious to crack attacks. Of course all of this assumes you are not
> using
> LanMan hashes in your network, otherwise, all of this is pretty much a
> waste
> of effort.
>
> Its really a shame that none of the NT coders from ISS or RSA are on this
> list. Maybe I'll put the proposal to the NTBugtraq subscribers to come up
> with a decent passfilt replacement as open source.
>
> Cheers,
> Russ - NTBugtraq Editor
- Next message: Neil Ratzlaff: "RE: Newspaper Article about Cable Modem security / Solutions?"
- Previous message: Joseph S D Yao: "Re: Is this for real"
- Next in thread: Matt Carothers: "RE: "Proactive" Password Checking"
- Reply: Matt Carothers: "RE: "Proactive" Password Checking"
This archive was generated by hypermail 2.0b3 on Thu Nov 18 1999 - 06:20:08 CST