From: Per W. <pw...@ia...> - 2003-07-24 19:43:55
|
Bug without knowing the pwd, it is possible to set a known one, do some nice things, and then set back the original - without knowing what the original pwd was. /Per W On Thu, 24 Jul 2003, David McKen wrote: > Being able to get the old is worse because the user will > not notice that it has changed and a careful person can > make it so that no (or rather very few) other traces are > left. > > To make matters worse, many people re-use passwords (makes > it easier to rember) > > --- Per Westermark <pw...@ia...> wrote: > > One more thing - this information is about cracking a > > password, i.e. > > finding out what it is. If I don't bother, there are a > > number of programs > > available what will allow setting a new password without > > knowing the old. > > > > /Per W > > > > On Thu, 24 Jul 2003, Ioannis Vranos wrote: > > > > > I think this is interesting for everyone in the list, > > so I thought to drop > > > it in here. > > > > > > > > > > > > >From WinInfo Daily Update: > > > > > > === 1. News and Views ==== > > > by Paul Thurrott, thu...@wi... > > > > > > Researchers Crack Windows Passwords in Seconds > > > Swiss researchers have developed a password-cracking > > scheme, based > > > on a method first developed in 1980, that lets them > > crack most Windows > > > passwords in about 13 seconds (the original method > > takes more than a > > > minute and a half longer). The scheme enforces a > > growing concern in > > > the security community that the way in which Microsoft > > encodes > > > passwords in Windows is inherently weak, opening the > > door for cracking > > > programs to use brute-force methods to test and break > > passwords. > > > Philippe Oechslin, one of the Swiss researchers, > > recently published > > > an online paper, "Making a Faster Cryptanalytic > > Time-Memory > > > Trade-Off," which highlights the new password-cracking > > scheme. > > > Oechslin will present the paper in August at Crypto > > 2003, an > > > international cryptology conference held this year at > > the University > > > of California, Santa Barbara and organized by the > > International > > > Association for Cryptologic Research (IACR) in > > cooperation with the > > > IEEE Computer Society Technical Committee on Security > > and Privacy. > > > "As an example, we have implemented an attack on > > MS-Windows > > > password hashes," the researchers write. "Using 1.4GB > > of data (two > > > CD-ROMs) we can crack 99.9 percent of all > > alphanumerical passwords > > > hashes ... in 13.6 seconds whereas it takes 101 seconds > > with the > > > current approach using distinguished points. We show > > that the gain > > > could be even much higher depending on the parameters > > used." > > > Oddly, the researchers weren't interested in > > cracking Windows > > > passwords but rather were trying to demonstrate the > > previous > > > theoretical cryptanalytic time-memory trade-off > > technique. They note > > > that Microsoft's passwords are weak because, when > > encrypted, they > > > don't include any random information. Thus, the same > > password on two > > > Windows machines will always be the same when > > encrypted, which makes > > > breaking the password encryption much easier than if > > the passwords > > > were randomized. > > > Although generating more secure passwords by using > > nonalphanumeric > > > characters and other special characters is possible, > > the researchers > > > say that even this approach won't solve the inherent > > problem in > > > Windows because all they'd need is more time or a > > larger data set (or > > > both) to crack those passwords as well. Instead, > > Microsoft will have > > > to fix this feature to encrypt passwords with random > > information, the > > > researchers say. > > > > > > > > > ---------------------------------------------------------------------------- > > > ----------------------- > > > > > > > > > > > > > > > > > > > > > Ioannis Vranos > > > > > > * Programming pages: http://www.noicys.freeurl.com > > > * Alternative URL 1: http://run.to/noicys > > > * Alternative URL 2: http://www.noicys.cjb.net > > > > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by: Free pre-built ASP.NET > > sites including > > > Data Reports, E-commerce, Portals, and Forums are > > available now. > > > Download today and enter to win an XBOX or Visual > > Studio .NET. > > > > > > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > > > _______________________________________________ > > > Dev-cpp-users mailing list > > > Dev...@li... > > > TO UNSUBSCRIBE: > > http://www23.brinkster.com/noicys/devcpp/ub.htm > > > > > > https://lists.sourceforge.net/lists/listinfo/dev-cpp-users > > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: Free pre-built ASP.NET > > sites including > > Data Reports, E-commerce, Portals, and Forums are > > available now. > > Download today and enter to win an XBOX or Visual Studio > > .NET. > > > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > > _______________________________________________ > > Dev-cpp-users mailing list > > Dev...@li... > > TO UNSUBSCRIBE: > > http://www23.brinkster.com/noicys/devcpp/ub.htm > > > https://lists.sourceforge.net/lists/listinfo/dev-cpp-users > > > ===== > Signed > David Mcken > > Life Sucks > Live with it > > __________________________________ > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > http://search.yahoo.com > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > _______________________________________________ > Dev-cpp-users mailing list > Dev...@li... > TO UNSUBSCRIBE: http://www23.brinkster.com/noicys/devcpp/ub.htm > https://lists.sourceforge.net/lists/listinfo/dev-cpp-users > |