Well, now that we know the formula (assuming
you didn't post a bogus example formula) there
are only 26^3 possibilities to check for. That's
much easier than the billions of combinations one
would normally have to try when brute-forcing
or doing a dictionary attack with modification
rules.
Are they stupid? Oh wait, you covered that in your
original note.
Uhh... What was the name of the client? :)
Ryan
sedwards @
sedwards .
com on 10/24/97 02:10:31 PM
To: Firewalls @
GreatCircle .
COM @ smtp
cc: (bcc: Ryan Russell/SYBASE)
Subject: Algorithmically derived passwords
I'm curious as to the "list's" opinion of using a "formula" to create
passwords.
One of my clients gives all of their hosts root passwords like:
first-letter-of-host-name + (last-digit-of-host-name * 3) % 10\
+ "^" + 3-somewhat-random-letters
Their logic is that it:
) is not susceptible to dictionary based attacks
) is different for each host (as long as the formula is not known)
) is easy to remember or derive (assuming you know the formula)
What do the experts think?
Thanks in advance,
---------------------------------------------------------------------------
Steve Edwards sedwards @
sedwards .
com Voice: +1-760-723-2727
Newline Fax: +1-760-731-3000
|
|
