LISTSERV - HP3000-L Archives

HP3000-L Archives

October 1998, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L October 1998, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Forgotten password.
From:	Patrick Santucci <[log in to unmask]>
Reply To:	Patrick Santucci <[log in to unmask]>
Date:	Thu, 22 Oct 1998 15:00:19 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (50 lines)

Stigers, Greg [And] wrote:

> The PKZip manual has a handy little table to explain password "hacking" time
> for a brute force attack on their encryption key method of protecting a ZIP
> file, at the rate of 10,000 keys attempted per second. This does not take
> into account the expected value, dividing by two per Gavin and Wirt, and
> would be pretty tricky to pull of on a console.

<Greg's cool table of numbers snipped>

Nitpick time:

Forgive me Greg, but I don't think those numbers are very realistic for
an HP3000. Art's point is extremely valid in this instance (not that it
isn't in any other, dgmw!). AFAIK, there's *no way* to make 10,000
attempts per second on an HP3000 signon. Tracy's orginal estimate of one
try in an average of 6 seconds is a little high, but there *is* some lag
to the response you'd get from the time you start typing the first HELLO
command to the time the next prompt appears to enter the password
(assuming you failed), including the lag time needed to wait for the
system to be ready to accept input again. (YMMV here, on our 995 it's
more like 3 seconds, depending on how fast you type.) I presume a
program could be written that could just keep shoving passwords at the
system, but as Art pointed out, it would have to be smart enough to know
to type the entire HELLO command again every third time.

I would estimate a minimum of 1/2 to 1 second turnaround from the time a
password is entered till the system will accept input again. This makes
finding even a 3-character password take much longer than 3.37 seconds,
even using only the 26 alpha characters and no numerics. In fact,
someone who is unfamiliar with HP3000 passwords would wast a lot of time
if they tried using all 256 ASCII characters.

If by "pretty tricky to pull off on a console" you mean all the "INVALID
PASSWORD" messages that would show up, you ain't kiddin'. If gobs of
those messages suddenly started scrolled across the console screen, our
operators would be on the phone in a flash. (One of the benefits of 24x7
operations.)

Just my $.02,
Patrick
--
Patrick Santucci
Technical Services Systems Programmer
KVI, a division of Seabury & Smith
Visit our site! http://www.kvi-ins.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"If they try to rush me, I always say, 'I've only got
one other speed -- and it's slower.'"    ~ Glenn Ford

ATOM RSS1 RSS2

RAVEN.UTC.EDU