[TCLUG] anyone still keeping count?

Fri May 25 00:44:32 CDT 2001

A few years back, a certain ISP I had a shell account with wasn't using
shadow passwords.  I used John the Ripper on my 486, and cracked 4000 of
their 6000 users passwords, including root (took about 2 weeks of
processing).  My friend worked there, and I gave the info to him and he
promptly implemented a password policy.

Not good, especially since I'm sure many of those people used the same
passwords for various other things.  It didn't get any passwords with
symbols in them though.  If you put symbols in them, and keep them at least
8 or 10 chars long, it should be fairly hard for someone to crack it.
Unless of course they grab the hash from a windows box and use lophtcrack.
In the windows world, you pretty much have to change it every 20-30 days,
because that's about all the time it will take lophtcrack to get any windows
password, unless MS finally fixed the split hash thing.

BTW, does anyone know of any free/cheap alternatives to the RSA AceServer?
I'd like to implement something like this on some of my personal equipment.

Jay

-----Original Message-----
From: Dave Sherohman [mailto:esper at sherohman.org] 
Sent: Thursday, May 24, 2001 10:53 PM
To: tclug-list at mn-linux.org
Subject: Re: [TCLUG] anyone still keeping count?

On Thu, May 24, 2001 at 10:21:08PM -0500, Florin Iucha wrote:
> On Thu, May 24, 2001 at 07:01:13PM -0700, Munir Nassar wrote:
> > there is a linux bootdisk that has NTFS support and
> > you can use this floppy to "recover" windows
> > 2000/NT4/NT3.51 Administrator passwords... talk about
> > sloppy security!
> 
> Not to nitpick too much here but with a boot/root linux disk I can do that
too
> with your Linux box.

Not to nitpick too much, but it may not be the same thing, depending on what
Munir meant by "recover".  With a linux boot floppy, you can _reset_ the
root
password, but you still can't find out what the existing password is (which
is what I take "recover the password" to mean).

Changing the root/admin password to something you know gives you control of
the box, but is immediately obvious to the real admin.  And, as you pointed
out, you really can't stop someone with physical access to the machine from
doing this.

Discovering the existing password is far, far worse.  Not only is it not
obvious to the box's legitimate owner, they may have used the same password
on other systems, which you now have access to also.  Fortunately, it's not
too difficult to make this effectively impossible these days.

-- 
That's not gibberish...  It's Linux. - Byers, The Lone Gunmen
Geek Code 3.12:  GCS d? s+: a C++ UL++++$ P++>+++ L+++>++++ E- W--(++) N+
o+ !K w--- O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv+ b+ DI++++ D G e* h r y+
_______________________________________________
tclug-list mailing list
tclug-list at mn-linux.org
https://mailman.mn-linux.org/mailman/listinfo/tclug-list