[ale] OT - New encryption technology using a piece of paper

Michael H. Warfield mhw at WittsEnd.com
Tue Sep 6 11:48:31 EDT 2011


On Tue, 2011-09-06 at 11:30 -0400, Drifter wrote: 
> I'm sorry. I guess I don't have a high enough Geek Quotient.  But I just 
> don't get it.
> Can't the industry put a halt to brute force attempts at password cracking 
> simply by instituting an ever-increasing delay following incorrect 
> password input? It shouldn't be necessary to lock folks out after X wrong 
> inputs; just increase the delay: 0.1 seconds; 0.2; 0.4;0.8;1.6 . . . . Or 
> pick some other increasing variable. One computer may have the ability to 
> output a gazillion passwords per second, but if the receiving computer 
> won't allow the high speed input, the attempted crack fails.

Actually, that's not really the problem.  The major threat vector this
addresses is if a hash table gets compromised.  How much effort does and
attacker have to put into breaking the hashes if he has them (and it's
always assumed that the algorithm is either known or knowable.

Right now, it would be impossible to say attempt to on-line brute force
ssh for anything but a very limited set of maybe a few thousand
passwords at the outside.  I see that in my honeypots all the time and
even capture the passwords they are attempting.  All very VERY lame.
And it never seems to change.  But...  That must mean that much is
effective.

One time, years ago, someone had me analyze WHY they had gotten busted
into.  They were busted into because they had nntp installed and running
when they weren't even using Network News at all.  But, once in, a huge
number of accounts on that system were immediately compromised and he
wanted to know why.

I was able to grab the password hashes (bad permissions - 2nd problem
after having nntp running) and ran John the Ripper on them.  Less than
an hour later, I knew the passwords to close to 100 accounts on that
system.  They were all lamers.  On-line brute force does not have near
the yield of off-line brute force once you have the hashes and inserting
delays into your login process won't help you a lick there.  Have some
jelly in your pockets because you are now toast.

> Sean 

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110906/e513fa5e/attachment.bin 


More information about the Ale mailing list