Login functionality

Dagmar d'Surreal dagmar.wants at nospam.com
Wed Feb 18 10:39:43 PST 2004


On Wed, 2004-02-18 at 09:22, Ian Molton wrote:
> On Wed, 18 Feb 2004 14:54:18 +0000
> Spencer Collyer <spencer at lasermount.uklinux.net> wrote:
> 
> > and disallowing pure-alpha or
> > pure-numeric passwords (as a simple attempt to eliminate pet names or
> > birthdays)..
> 
> pointless. I garauntee 99% of users will simply switch i for 1 and o for 0.

(ignoring for the moment cracklib)

Enter John the Ripper... everyone's favorite tool for Detecting failures
on the user's part to follow policy about selecting good passwords.

John the Ripper is very nice in that, aside from being hellishly fast,
it can be configured to run at a particular nice level, as well as
respect a maximum system load setting above which it will not run. 
Admins can (and probably should) use this to regularly audit the
passwords and flat out disable anyone who gets busted until they select
a new password.

People on this list who are actually running multi-user boxes and have
never used John the Ripper before should look into it.  Feed it about
20Mb of dictionary words, use the standard rules it has for permutating
passwords, and you're just about assured of busting 20% (and often as
high as 80-85% in college environments, for example) of the ciphertext
passwords you throw at it.  It's a big eye-opener for shops who have
been neglecting attempts to detect user misbehaviour.  (My last security
assessment turned up more than half the passwords for the users without
hardly trying.)
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list