Daniel V. Klein. "Foiling the cracker": A survey of, and improvements to, password security. In Proc. of the USENIX UNIX Security Workshop, pages 5--14, Portland, OR, USA, August 1990. 9  Home/Search   Document Not in Database   Summary   Related Articles   Check

....[8] A common attack on Unix systems is to obtain the system s password file and use a plaintext dictionary key search to attack passwords. Once weak password have been discovered, the attacker can use this knowledge to launch an attack on more secure systems on which users may have accounts [6]. Using a dictionary password key search attack is one of the methods which the Internet Worm of 1988 used to gain access to other systems [10] The standard Unix crypt function available in the Unix standard C library (lib c) on domestically distributed Unix systems. Source code for the ....

....encodings. Typical scanning runs may use dictionaries of up to 1 Million plaintext words, which are tried with different capitalizations, and sometimes substitutions for expressions like to , too and 2 , and combinations of smaller words. Large dictionary scans may take months of compute time [6]. Administrators are reluctant to run password scanning on high end research computing facilities, whose facilities are typically charged for the CPU time they, themselves, consume. In a nutshell, it takes valuable resources for system administrators to run password scans. An attacker can get ....

Daniel V. Klein. `foiling the cracker': A survey of, and improvements to, password security. Technical report, Software Engineering Institute, Carnege Mellon University, 1990.

....6188 Bradley Hall Hanover, NH 03755 1. Introduction The issue of poor user selection of passwords has been discussed in many papers [6] 7] and need not be repeated here. Among the techniques used to overcome these problems are random generation of passwords [3] challenge response techniques [5], key crunching [4] and the examination of user selected passwords either by cracking them or by analyzing them before allowing the password to be changed. In this paper we look at a program specifically designed to do the latter. This paper will describe a new version of the UNIX password ....

Daniel V. Klein, ""Foiling the Cracker": A Survey of, and Improvements to, Password Security," Proceedings of the UNIX Security Workshop II pp. 5-14 (Aug. 1990)

....common to all classical two party key exchange protocols: the enduring cryptographic secrets are susceptible to off line, brute force attacks. This may be fine when these secrets are long random strings, but poses considerable difficulty when the secrets are passwords chosen by naive users [5, 6, 7, 8]. 2 EKE using public keys Consider instead the following simple message exchange: 1. A generates a random public key private key pair, EA and DA , and encrypts the public key in a symmetric cryptosystem with password P , yielding P (EA ) A sends P (EA ) EKE:1) to B. We will defer until ....

....about poorly chosen passwords. Were the world like that, we might agree. Today, it is not. Empirically, weak passwords are fact of life. Attempts to strengthen users passwords by enforcing syntactic restrictions have not been notably successful; audits still turn up many weak passwords. Klein [7], for example, cracked 25 of a database of 15,000 password entries; others report similar success rates. The problem is so serious that many versions of the UNIX 4 operating system have been forced to readprotect the file containing users passwords, despite the system s use of a one way ....

D. V. Klein, ""Foiling the cracker": A survey of, and improvements to, password security," in Proceedings of the USENIX UNIX Security Workshop, (Portland), pp. 5--14, August 1990.

....we assume that the user s sole means of authentication and sole long term storage is a simple password, rather than a bulky private key. Furthermore, we assume that the password must be protected from dictionary attacks; historically, such attacks are quite successful. See, for example, [13, 9, 10, 12], among others. 1.2 Summary of Notation Our notation is shown in Table 1. To avoid confusion, we use the word symmetric to denote a conventional cryptosystem; it uses secret keys. A public key, or asymmetric, Table 1: Notation A; B System principals. Alice and Bob) P The password: a shared ....

KLEIN, D. V. "Foiling the cracker": A survey of, and improvements to, password security. In Proceedings of the USENIX UNIX Security Workshop (Portland, August 1990), pp. 5--14.

....two of the most popular, publicly available programs to see how well they meet the requirements. Future directions are examined, as well as alternatives to such checkers. 1. Introduction The problems inherent in allowing users to choose passwords without restriction have been widely discussed [4][6] countermeasures include random generation of passwords [8] and techniques to test the strength of the proposed password the user selects. The latter falls into two classes: reactive password checking, in which the password is reset and later tested, and proactive password checking, in which ....

....care must be applied in selecting which passwords are unacceptably easy to guess. Turning from the mathematics to the engineering aspect, certain facilities must be present to provide the degree of flexibility in the tests that will eliminate passwords as easily guessed. Previous studies, notably [4] and [6] have described common classes of passwords found experimentally and what types of passwords should be avoided (see table 1) in addition, specific words or character sequences may be meaningful to particular sites or users and hence good guesses for attackers. These considerations ....

Klein, D. V., ""Foiling the Cracker": A Survey Of, and Improvements to, Password Security," Proceedings of the UNIX Security Workshop II (Aug. 1990) pp. 5-14.

....or not logging in as guest with password guest is criminal in the Netherlands. 4. qwerty, unesco. 5. heather, joanne. 6. piet, atilla, Frans2, vatsug (this is gustav spelled backwards) 7. adelaide. Some people have studied the amount of passwords that is easily guessable in the past. In [Kle] Daniel Klein finds 21 of 15,000 passwords using one week of CPU time. The first 2.7 was found within 15 minutes (people who used their account as password, e.g. account gigawalt with password gigawalt) The categories in which over 1 of the 15,000 passwords were found are: lists 7.4 common ....

DANIEL V. KLEIN, "Foiling the Cracker": A survey of, and Improvements to, Password Security (revised paper), Proceedings of the USENIX Security Workshop, summer 1990.

No context found.

Daniel V. Klein. "Foiling the cracker": A survey of, and improvements to, password security. In Proc. of the USENIX UNIX Security Workshop, pages 5--14, Portland, OR, USA, August 1990. 9

No context found.

Daniel V. Klein. "Foiling the cracker": A survey of, and improvements to, password security. In Proc. of the USENIX UNIX Security Workshop, pages 5--14, Portland, OR, USA, August 1990.

No context found.

Daniel V. Klein. "Foiling the cracker": A survey of, and improvements to, password security. In Proc. of the USENIX UNIX Security Workshop, pages 5--14, Portland, OR, USA, August 1990. 9

No context found.

D. V. Klein. `Foiling the Cracker': A Survey of, and Improvements to Password Security. In Proc. USENIX Security Workshop, Portland, Oregon, 1990.

No context found.

Daniel V. Klein. "foiling the cracker": A survey of, and improvements to, password security. In Proc. 2nd USENIX Security Workshop, pages 5--14, 1990.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC