LISTSERV - HP3000-L Archives

HP3000-L Archives

October 1998, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L October 1998, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Forgotten password.
From:	"Stigers, Greg [And]" <[log in to unmask]>
Reply To:	Stigers, Greg [And]
Date:	Thu, 22 Oct 1998 14:11:03 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (49 lines)

The most obvious one being none?

While the merits of any given password encryption scheme are debatable, and
I actually do find that sort of thing interesting, my point was the idea of
a brute force attack being made pointless due to the unlikelihood of it
working in a useful amount of time because chosen passwords are too long and
complex for brute force attacks (although as processors get faster...). I
have requested a security audit with one of my complaints being that I found
a SECURITY / 3000 profile for MANAGER.SYS that had a temporary password.
While I did not know the user, I guessed it on the second try (although in
some shops, I could be fired just for trying). That should never happen,
although it was more good guessing than brute force, because they use
common, stupid conventions that everyone there knows for temporary password.
And they could have made better use of SECURITY / 3000 to prevent me from
succeeding, even when I guessed right. And they should have detected the
sign on attempt.

Of course, when that is prevented, we are like Wirt's medieval castle
builders; no one tries breaking thru the walls by brute force anymore, they
just poison the well or kill the first guy who shows up with food. IOW, the
attack must turn to different fronts (and not that we should kill the pizza
guy - that's worse than not tipping), such as trying obvious passwords as I
did, or unchanged defaults, or looking around monitors and under the
keyboards or in operator's notebooks, or...

> -----Original Message-----
> From: Gavin Scott [SMTP:[log in to unmask]]
> Sent: Thursday, October 22, 1998 1:40 PM
> To:   [log in to unmask]
> Subject:      Re: Forgotten password.
>
        <snip>
> There are 2,095,681,645,539 possible passwords of the MPE format.  Wirt's
> calculation misses the most obvious one.
        <snip>
> Greg mentions:
> > The PKZip manual has a handy little table to explain password "hacking"
> time
> > for a brute force attack on their encryption key method of protecting a
> ZIP
> > file, at the rate of 10,000 keys attempted per second.
>
> Impressive numbers unless you know that PKZIP uses a crappy encryption
> algorithm that can be attacked directly.  It's my understanding that any
> ZIP encrypted file can be broken very quickly without any guessing
> whatsoever.
>
> G.

ATOM RSS1 RSS2

RAVEN.UTC.EDU