Password crackers

[Yohhan]

If a user has physical access to a computer, is there anyway to make pw cracking more difficult? Or is choosing a strong password the best option you have? What makes a very strong WinXP and Linux password? I've heard passwords over 7 or 8 characters on windows, does not make them significantly stronger.

If it were up to me... I'd like to completely disable downloads for limited users on my system, as well as media so pw crackering programs can't be downloaded to begin with. Is this even possible on XP?

 

[eigen]

Originally posted by: Yohhan
If a user has physical access to a computer, is there anyway to make pw cracking more difficult? Or is choosing a strong password the best option you have? What makes a very strong WinXP and Linux password? I've heard passwords over 7 or 8 characters on windows, does not make them significantly stronger.

If it were up to me... I'd like to completely disable downloads for limited users on my system, as well as media so pw crackering programs can't be downloaded to begin with. Is this even possible on XP?

Remember to password protect the bios , so I dont change the boot sequence and boot insert or any number of linux cds that can change the admin password.

 

[Nothinman]

If it were up to me... I'd like to completely disable downloads for limited users on my system, as well as media so pw crackering programs can't be downloaded to begin with. Is this even possible on XP?

They don't need to install the program there, if they have admin rights they can just dump the SAM and take it with them. If they don't have admin rights they can't dump the SAM anyway. Same with Linux, you need root to read /etc/shadow to get the password hashes.

Remember to password protect the bios , so I dont change the boot sequence and boot insert or any number of linux cds that can change the admin password.

Because it's so hard to short the bios and reset it back to defaults.

 

[drag]

If a person has physical access to any computer you should make the concept of securing the computer against that person a forgone conclusion. You can do things like set passwords in the bios and not allow administrative/root access to that machine, but all that is going to do is protect yourself from normal users who get tempted to install software or do stupid stuff. The only other purpose that they serve is that when you go to work on the machine and their is no bios password, or the passwords have been changed then you know then that the computer has been violated.

What you do then to protect the computer physically is only to have people that are trustworthy access the computer and then use physical security to restrict access. Basicly locked rooms (and ceilings and floors), background checks, security keycards and the like.

To protect your passwords from password cracking programs what you do is impliment strong password policies. Complex passwords: mimimum of 8 or more charactures. No real words, english or otherwise. No 733t spelling or character substatution. The must be a mixture of upcase and lowercase alphanumeric numbers including special characters. That sort of thing.

Then to make it easier on yourself you could pull passwords files and run cracking programs against the password file yourself and then send notices to people whose passwords are too easily guessed at by the programs. This could even be a semi-automated system.

It's a trade off, though. You make things more difficult for the users then they will do stuff like write down passwords on peices of paper and leave that around. Also it would possibly make handbags and purses objects to steal, and don't beleive for a second that a person who wants to do a very good job of ripping you off wouldn't go into your place of business and try something like that. Or ex-employees, or discrunteled employees... etc

So maybe you would have policies on access to your computers that would restrict the damage that would be done if a person found out passwords and whatnot, and then set varying degrees of anal-ness on password protection on that. Like for normal users you'd have them change the passwords every couple months, and just ask them not to use dictionary words or the names or birthdates of their pets and stuff like that. Then for techs or whatnot that would need to have administrative rights to some computers then you make them change it every week or whatnot, and tell them that using good passwords is part of their jobs responsibilities. Then for people who have physical access to your servers and sensitive information you'd have them use a combination of strong passwords and maybe physical token, like a secure card or USB keychain device with a private keycode.

Something like that. Passwords are a huge problem nowadays, they have to be simple enough for people to remember them, but difficult enough that it takes more then a few minutes with a cracking program to find them out. Even then they are vunerable to social engineering and phishing attacks... Sucks.

 

[EULA]

A password such as my ********* isnt too hard to remember, however, I sometimes have to choose a shorter one because they don't allow all the characters...


Edit: Wait a moment, I just posted my password... WTH was I thinking...

 

[drag]

Originally posted by: EULA
A password such as my ********* isnt too hard to remember, however, I sometimes have to choose a shorter one because they don't allow all the characters...


Edit: Wait a moment, I just posted my password... WTH was I thinking...

haha.


Here is how I like to make passwords for myself. I use a proccess...
Say take a phrase that you can remember:
The Cow Jumped Over the Moon.
then 733t speak it
T|n3 CoW Jum93D 0\/e,~ Th3 Mo0n.
Then add some stategic punctuation:
T|n* Co\W/ (Jum93d) O\/e,~ Th3 M*0n.
then compress it
T|n*Co\W/(um3d)\/e~M*on.

Then when I write it down, practice it a few times.
Say it to myself:
the cow umped 'ver moon.

Then after a while I mostly forget it and saying it to myself and muscle memory will do the total recall well enough that it usually works.

Of course for the less serious the password, the smaller and easier it gets to remember. Something like that would be reserved for something very serious, I have something like a 8 or so different passwords i have to remember for different things, and if they were all like that, then I'd go insane.

 

[Woodie]

Passphrases are becoming more popular...at least more recommended. Then you can actually have users with a 25+ character password:
The Cow jumped Over the Moon.

29 characters, Mixed cases, special characters (spaces), and punctuation. Yet, it's all common words and easy for the user to remember. Personally, I'm a fan of doing some number/character substitution as well.

I have to disagree with drag "No 733t spelling or character substatution." Absolutely, they can/should. The greater the keyset (lower alphas, upper alphas, numerics, specials) the harder to crack. I would include common "leet speak" words as common words (733t, pr0n, etc..)

The other factor not mentioned (yet) is password change interval. You should age passwords, so users can't keep the same password for more than a set period of time.

And the final factor I'll mention is user tolerance for all this stuff. If the policies aren't easy enough for them to follow, they'll write passwords down and they'll call the helpdesk constantly. Either way, you're not helping yourself. I'd suggest gradual changes, and telling the user about these different strategies for creating/managing their passwords.

Physical Access to the Machine = it's already out of your control/protection.

 

[drag]

Well you can also use other forms of authentication.

For instance with OpenSSH you can disable password authentication and do a combination of public key pair authentification and passphrases.
http://cfm.gs.washington.edu/s...ity/ssh/client-pkauth/

With a PAM module in linux you can set up a usb keyring-style device and x509 style authefication instead or in combination with password login on local machines.

 

[Sunner]

A good password will get you far, but without physical security, there's no security.
There are myriads of ways to break into a computer you have physical access to.

Anyway, a good password should be random IMO, a l33t spelling of your name, or some such is good, but entirely random is better.
An old password I never use anymore(hence I feel comfortable posting it, unlike some others here ), is "1A9+4oRk", a tad hard to remember the first few times, but after you've typed it 5-10 times, you'll remember.
Heck, I haven't used it in quite some time, and I still remember it, though it took me a little while to do so.

 

[drag]

there are a few types of computers that would be safe from physical attack. Well at least mostly safe.

A unix class I took a while ago and the teacher like to tell stories, and one he told was about when the school had bought two unix machines at great expense that would be used by students to render 3d stuff on, IRC. Well the important part happened when they were setup and the software on them was initialized. The guy had set the root passwords on both machines and no other accounts. The next day came and apperently he either forgot one of their passwords or mistyped it when he entered it. So he couldn't log on, couldn't re-install the OS, and couldn't get into single user mode to reset the passwords.

You see one of the things they advertised about the machine was that it was completely secure, even against physical attack. So the only way you could reset the machine was to have a tech come out with a special tool and re-flash or replace a chip on the motherboard and of course this would be extremely expensive, and of course they used up the budget on buying the computers in the first place. So no computer, multi-thousands of dollars paperweight. At least they still had the other one.

 

[sciencewhiz]

Some dictionaries have l33t spellings to, or an algorithm to translate the dictionary to l33t. So, taking a simple dictionary word and making it l33t is not good enough, but taking a phrase and making it l33t probably is.

 

[HKSturboKID]

I don't care how strong your password is. At the end of the day if you don't have physical security, I rip the Harddrive out of the PC, take it home, plug it in, download everything I need and bring it back tomorrow morning.

 

[InlineFive]

Originally posted by: Nothinman

If it were up to me... I'd like to completely disable downloads for limited users on my system, as well as media so pw crackering programs can't be downloaded to begin with. Is this even possible on XP?

They don't need to install the program there, if they have admin rights they can just dump the SAM and take it with them. If they don't have admin rights they can't dump the SAM anyway. Same with Linux, you need root to read /etc/shadow to get the password hashes.

Remember to password protect the bios , so I dont change the boot sequence and boot insert or any number of linux cds that can change the admin password.

Because it's so hard to short the bios and reset it back to defaults.

On a laptop this is good protection for a while. Especially if it's a manufacturer like Dell.

 

[sciencewhiz]

Originally posted by: HKSturboKID
I don't care how strong your password is. At the end of the day if you don't have physical security, I rip the Harddrive out of the PC, take it home, plug it in, download everything I need and bring it back tomorrow morning.

Unless they use an encrypted file system.

 

[HKSturboKID]

Originally posted by: sciencewhiz

Originally posted by: HKSturboKID
I don't care how strong your password is. At the end of the day if you don't have physical security, I rip the Harddrive out of the PC, take it home, plug it in, download everything I need and bring it back tomorrow morning.

Unless they use an encrypted file system.

With most Companies..now a days, they prolly use NTFS which has file level permission for EVERYONE and SHARE LEVEL Permission for EVERYONE access. That is why they always remind you to save stuff on the network drives.

 

[Woodie]

Corporate machines shouldn't have non-admin shares...and users aren't generally local admins, so they can't create their own.

 

[groovin]

yeah if someone has physical access to your machine youre pretty screwed. the only way ive seen that helps fight this is when youre entire filesystem (root partition, swap, etc) is encrypted. even then, im sure there are still some ways of breaking in.

 

[HKSturboKID]

I guess the best way is "BRING BACK THE DUMMY TERMINALS"