Forwarded from: Jason Burzenski <jason.burzenskiat_private> I recommend users use a personal cryptography system to ensure quality passwords. The idea is.. the user chooses a cipher to remember that will be applied to passwords, and the passwords before they are ciphered. For example, if you insist that your password should be iluvlinux for your email account and ihatelinux for your network logon you might apply a simple substitution cipher that changes all vowels to h4ck3r vowels, then pad the password with predetermined special characters such as a ^ prefix and a ) suffix. For added strength, any consonants occurring before the letter N will be capitalized. The user would then use ^1LuvL1nux) to access email and ^1H4t3L1nux) for network logon. A user only need remember the cipher and a common word/phrase in order to maintain a set of strong passwords. This is also helpful in an environment where users insist on writing their passwords on sticky notes and attaching them to the sides of their monitors. Finding a list of common words will not allow an attacker to gain entry without knowing the correct cipher. If you're truly a genius and you have room in your mind for more then one cipher, you can associate a cipher with a set of associated systems. Have a cipher for work, for personal business, for spam generating websites, etc. Its not a cure-all but ^CH4rL13) is still a stronger password then charlie. Jason Burzenski, CISSP -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private]On Behalf Of InfoSec News Sent: Friday, May 24, 2002 6:30 AM To: isnat_private Subject: [ISN] Hackers can crack most in less than a minute http://news.com.com/2009-1001-916719.html?tag=fd_lede By Rob Lemos Staff Writer, CNET News.com May 22, 2002, 4:00 a.m. PT When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file. "Just about every company that we have gone into, even large multinationals, has a high percentage of accounts with easily (cracked) passwords," said Greg Shipley, director of consulting for Neohapsis. "We have yet to see a company whose employees don't pick bad passwords." [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 06:04:21 PDT