Some of what you said reminded me of a so-called security audit we once had performed at a company I used to work for...
For those of you who suggested I look for other exploits, I look for them all, that's why I'm paid.
This statement worries me a little bit. How exactly do you go about looking for ALL exploits? I am not saying that you don't do a thorough job... I may know that no matter how hard you look, and no matter how hard you try, you can't possibly catch everything.
Trouble is, any non-technical person you talk to probably believes that you are truly going to find any possible hole.
Normally I test password strength by pulling back the hash file (you need admin rights for this) and then cracking it with L0phtCrack, well, in some circumstances clients do not feel like giving me one of these accounts.
During that time, one of the auditors wanted either administrative rights to our domain, or a copy of the password hash to test against. I would hope you would see why we would be very against this happening. We would have been significantly more comfortable if we had been asked to run it ourselves, and report back on the results.
To give away every username and password on our domain to an outside company like that is most definitely not a very secure thing to do. As a matter of fact, I would hope to lose points on a security evaluation for giving in to such a request :). We'd have to trust the individual with each of those passwords, and we then are trusting everyone in their organization with those passwords. Your findings would be useless shortly afterwards, because the only thing we could do after giving that to you would be to force password changes across the entire company. (not fun!)
In any case, I think that there must be a way to do this in a reasonable time for a password of say 8 characters in length max. L0phtCrack is able to do so, and usually gets the passes within a few hours.
8 character passwords would go A LOT quicker than 16 character passwords. If we assume uppercase, lowercase, and digits, each character you tack on to the password will take 62 times longer to crack. So going from 8 characters to 9 will bring you up from hours to days. Going from 9 to 10 characters brings in into months, and the 11th character brings us up to many years.
I don't think anyone here said brute forcing an 8 character password was impossible, what they are saying is brute forcing a 16 character password is FAR from twice as hard. I guess the moral of the story here is to make sure your passwords are 10 or 11 characters long, eh? :p
One of the uses I had planned for this script was to help me in situations where my client does not give me an admin account.
This presents a much larger problem, doesn't it? If you can hit against a password hash on a local box, you can try combinations MUCH faster than trying to make login attempts. I'm assuming this is what you are doing, since we are comparing to l0pht. I would hope you would already know that this would probably be fruitless, even with an 8 character password.
Now some of you are probably asking why I would bother asking if I already knew this, well, I don't know everything, I thought someone might know something I didn't.
If you were aware of this, I am sure you would have gotten much friendlier responses if you had mentioned this in the original post.
Anyway, I most definitely do not consider myself to be a security expert... But I do have to say that almost everyone I have ever had the pleasure of working with who CLAIMED to be an expert in these matters was frighteningly ignorant of way to many things.
In reply to Re: Re: Password cracking algorithm
by oknow
in thread Password cracking algorithm
by SyN/AcK
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |