User: Password:
Subscribe / Log in / New account

Password auditing isn't reliable

Password auditing isn't reliable

Posted Oct 22, 2009 17:04 UTC (Thu) by copsewood (subscriber, #199)
In reply to: Distributed brute force ssh attacks by ikm
Parent article: Distributed brute force ssh attacks

Password auditing is difficult if users are allowed to choose their own passwords. It's true you can use tools such as Crack to do this, but if your popular password list isn't the same as the one used by your attacker, a password that looks strong to your tools might well be weak to an attacker. E.G, your user's weak password might be a popular password in a language you don't speak and which those compiling your Crack password dictionary don't know about. Fine if you have access to the same auditing tools as your attackers have for attacking you, but it certainly isn't safe to assume that you do. It seems to me better either to generate random passwords for the users, or choose good ones for them they should be able to remember based on what you know about them which attackers are unlikely to know or guess.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds