RE: [ISN] Hackers can crack most in less than a minute

From: InfoSec News (isnat_private)
Date: Tue May 28 2002 - 01:34:56 PDT

  • Next message: InfoSec News: "[ISN] Hackers May Have Hit 265,000 State Workers"

    Forwarded from: Jason Burzenski <jason.burzenskiat_private>
    I recommend users use a personal cryptography system to ensure quality
    passwords.  The idea is..  the user chooses a cipher to remember that
    will be applied to passwords, and the passwords before they are
    For example, if you insist that your password should be iluvlinux for
    your email account and ihatelinux for your network logon you might
    apply a simple substitution cipher that changes all vowels to h4ck3r
    vowels, then pad the password with predetermined special characters
    such as a ^ prefix and a ) suffix.  For added strength, any consonants
    occurring before the letter N will be capitalized.  The user would
    then use ^1LuvL1nux) to access email and ^1H4t3L1nux) for network
    A user only need remember the cipher and a common word/phrase in order
    to maintain a set of strong passwords.
    This is also helpful in an environment where users insist on writing
    their passwords on sticky notes and attaching them to the sides of
    their monitors. Finding a list of common words will not allow an
    attacker to gain entry without knowing the correct cipher.
    If you're truly a genius and you have room in your mind for more then
    one cipher, you can associate a cipher with a set of associated
    systems.  Have a cipher for work, for personal business, for spam
    generating websites, etc.
    Its not a cure-all but ^CH4rL13) is still a stronger password then
    Jason Burzenski, CISSP
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
    Of InfoSec News
    Sent: Friday, May 24, 2002 6:30 AM
    To: isnat_private
    Subject: [ISN] Hackers can crack most in less than a minute
    By Rob Lemos
    Staff Writer, CNET
    May 22, 2002, 4:00 a.m. PT
    When a regional health care company called in network protection firm
    Neohapsis to find the vulnerabilities in its systems, the
    Chicago-based security company knew a sure place to look.
    Retrieving the password file from one of the health care company's
    servers, the consulting firm put "John the Ripper," a well-known
    cracking program, on the case. While well-chosen passwords could take
    years--if not decades--of computer time to crack, it took the program
    only an hour to decipher 30 percent of the passwords for the nearly
    10,000 accounts listed in the file.
    "Just about every company that we have gone into, even large
    multinationals, has a high percentage of accounts with easily
    (cracked) passwords," said Greg Shipley, director of consulting for
    Neohapsis. "We have yet to see a company whose employees don't pick
    bad passwords."
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue May 28 2002 - 06:04:21 PDT