Internet crackers and security advice

Cornelius Krasel zxmkr08 at mailserv.zdv.uni-tuebingen.de
Thu Sep 10 08:23:25 EST 1992


In <01GOI3BHJJ048WVYXW at beloit.edu> JONESBB at BELOIT.EDU writes:
>This happened to our main users' computer at a university where I used to work,
>but they had already patched all the security holes in their system.  The
>invader entered using "password cracker" software, so I would like to add a
>word about passwords to Don's note.  It seems that there is a list of about
>400 words that are used quite frequently as passwords.  There also exists
>"password cracker" software which tries every entry in this list against a
>given account.  More often than you would think, this list succeeds.  In
>addition, there are known viruses which use the same list to crack accounts 
>and invade new machines.

[Some system-spcific stuff deleted]

>They also put a password filter on the system.  When anyone ever changed
>a password, the new one must have at least one uppercase letter and at
>least one lowercase letter, and I believe they also talked about requiring
>one punctuation  symbol, but finally didn't.  On case-insensitive systems
>like Vaxen, where all passwords are raised to uppercase, my favorite
>scheme is to make my password out of either one word, but misspelled, such
>as zeebraa, or out of two words together, such as dogcat.  The thing is,
>don't make them REAL WORDS, no matter how obscure, even out of literature.

I have seen a password cracking program in action. Unfortunately it
does not help to simply include digits or punctuation into "real words",
since at least this program was prepared for it and cracked things like
z1ebra without any problems. As far as I remember, the program used
several approaches: first, it tried all usernames available on this 
particular computer; second, it tested an internal (editable) word
list; third, it checked changes in spelling, such as mixed upper-
or lowercase, or interspersed digits. It was fairly successful...

--Cornelius (by no means an expert of computer security).
--
/* Cornelius Krasel, Department of Physiological Chemistry, U Tuebingen    */ 
/* email: krasel at mailserv.zdv.uni-tuebingen.de (Internet)                  */
/*        krasel at chemie.uni-tuebingen.dbp.de (WIN/X400)                    */
/* "People are DNA's way of making more DNA." (anonymous)                  */




More information about the Bio-soft mailing list