If I go into cracking mode and was going to attempt a dictionary attack and I had any idea that the victim was recommending of forcing people to not use vowels, I would change all the words in my dictionary to put the numbers in for vowels. There would be no increase in the number of words in the list so the odds of getting a hit would be the same.
And I agree with the uncrackable vs guessable, If someone really wants in and they have the time and the resources they will get in. Same as with physical security. No matter how much you have in place, someone with the time and resources can bypass all your security systems and gain physical access.
-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Simon Coulter
Sent: Tuesday, April 22, 2008 11:30 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] New Password rules at VRM610
On 23/04/2008, at 11:29 AM, Mike Cunningham wrote:
Don't you think the password crackers have figure out the number
for vowel trick and are using those variations in dictionary
attacks? I don't think a password of f1shh3ad is any more secure
anymore than fishhead. I like passphrases in mixed case for those
accounts that need the highest security
Whether they have figured it out or not is immaterial. It will take
more attempts to brute-force crack a password that omits vowels or
replaces them with numbers than to crack complete words.
Whether that adds much to the elapsed time of a brute-force attack
given the current desktop power is a separate argument.
Seems to me the purpose of all password rules is not to ensure
"uncrackable" passwords but rather to ensure less easily "guessable"
ones. It is primarily an audit-satisfaction tool.
Given enough time, enough CPU, and enough reason, probably anything
is crackable--certainly any encryption to which we have access. You
don't think the US Govt. allowed 128-bit encryption to all their
"friends" because they CAN'T crack it in a reasonable time do you?
Regards,
Simon Coulter.
--------------------------------------------------------------------
FlyByNight Software OS/400, i5/OS Technical Specialists
http://www.flybynight.com.au/
Phone: +61 2 6657 8251 Mobile: +61 0411 091 400 /"\
Fax: +61 2 6657 8251 \ /
X
ASCII Ribbon campaign against HTML E-Mail / \
--------------------------------------------------------------------
_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400) mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/security400.
midrange.com
