Why use strong passwords? Post: 302727017

Sponsored Content

Special Forums Cybersecurity Why use strong passwords? Post 302727017 by Neo on Monday 5th of November 2012 01:46:08 PM

11-05-2012

Administrator

Quote:

Originally Posted by Corona688

That only matters when you've swiped someone's shadow file though. If they have to brute-force your login, most systems will slow down failed logins severely.

Well, that is exactly what I said in my first post, that the issue is when someone steals the password file (what ever kind it is), my post was:

Quote:

One reason is that if someone steals the password file with all the encrypted passwords , it is easy to crack weak passwords. So, imagine a business with 20,000 customers and someone steals the password file. It would be easy for a criminal to run a brute force exploit (attack) against the encrypted passwords in the password file, and then subsequently compromise the accounts.

And in reality, this is what happens. A password file or database full of passwords (encrypted) are stolen; this can also include encrypted credit card information and other confidential data.

The same is also true for encrypted WIFI keys, which can be stored as encrypted text and then later on, a brute force attack is applied against those passwords; so the exploit is first gathering the data (encrypted text) and later running an attack against the ciphertext.

Neo

View Public Profile for Neo

Visit Neo's homepage!

Find all posts by Neo

2 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Strong quotes and spaces

We ran into a problem because of a shop that uses Windows and UNIX. The file names that Windows uses have spaces in them. When they get moved to the unix system they still have spaces. This produces a problem in our script that moves them again from one unix system to another. I've made up a...

2. UNIX for Advanced & Expert Users

When did UNIX start using encrypted passwords, and not displaying passwords when you type them in?

I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the...

LEARN ABOUT DEBIAN

makepasswd

makepasswd(1)						       UNIX Reference Manual						     makepasswd(1)

NAME

       makepasswd - generate and/or encrypt passwords

SYNOPSIS

       makepasswd [ --chars N ] [ --clearfrom file ] [ --count N ] [ --crypt | --nocrypt | --crypt-md5 ] [ --cryptsalt N ] [ --help ] [ --maxchars
       N ] [ --minchars N ] [ --randomseed N ] [ --rerandom N ] [ --repeatpass N ] [ --string string ] [ --verbose | --noverbose ]

DESCRIPTION

       makepasswd generates true random passwords using /dev/urandom, with the emphasis on security over pronounceability.  It	can  also  encrypt
       plaintext passwords given on the command line.

OPTIONS

       --chars N
	      Generate passwords with exactly N characters (do not use with options --minchars and --maxchars).

       --clearfrom FILE
	      Use password from FILE instead of generating passwords.  Requires the --crypt or the --crypt-md5 options; may not be used with these
	      options: --chars, --maxchars, --minchars, --count, --string, --nocrypt.  Trailing newlines are removed but other white space is not.

       --count N
	      Produce a total of N passwords (the default is one).

       --crypt
	      Produce encrypted passwords.

       --crypt-md5
	      Produce encrypted passwords using the MD5 digest (hash) algorithm.

       --cryptsalt N
	      Use crypt() salt N, a positive number <= 4096.  If random seeds are desired, specify a zero value (the default).

       --help Ignore other operands and produce only a help display.

       --maxchars N
	      Generate passwords with at most N characters (default = 10).

       --minchars N
	      Generate passwords with at least N characters (default = 8).

       --nocrypt
	      Do not encrypt the generated password(s) (the default).

       --noverbose
	      Display no labels on output (the default).

       --randomseed N
	      Use random number seed N, between 0 and 2^32 inclusive.  A zero value results in a  real-random  seed.   This  generates	much  less
	      secure passwords than the default; not only does it generate predictable passwords due to the fixed seed, but the range of available
	      seeds is 32 bits rather than the default of 256 bits, and cannot be changed without breaking expectations of previous users of  this
	      option.  If possible, do not use this option.

       --rerandom N
	      Set  the random seed value every N values used.  Specify zero to use a single seed value (the default). Specify one to get true-ran-
	      dom passwords, though note that doing this too frequently will deplete the supply of entropy available in the kernel's entropy pool.

       --repeatpass N
	      Use each password N times (4096 maximum, --crypt must be set and --cryptsalt may not be set).

       --string STRING
	      Use the characters in STRING to generate random passwords.

       --verbose
	      Display labelling information on output.

HISTORY

       makepasswd was originally part of the mkircconf program used to centrally administer the Linux Internet Support	Cooperative  IRC  network.
       It may potentially be of use in any situation where passwords must be secure and need not be memorized by humans.

       Colin Watson modified it to use OpenSSL's pseudo-random number generator.

COPYRIGHT

       Copyright  (c) 1997-1998 by lilo <lilo@linpeople.org>.  All rights are reserved by the author.  This program may be used under the terms of
       version 2 of the GNU Public License.

SEE ALSO

       passwd(5)

Debian Distribution						  1998 February 9						     makepasswd(1)