fri, 25-nov-2005, 11:06

Following up on yesterday's discussion of making passwords that look random to the computer, but contain some pattern that's easily remembered, I wrote a little password generator in Python. It requires the 'fortune' program (fortune-mod, fortunes packages in Debian), as well as Python. The script takes two optional arguments, the number of passwords to generate, and if the script should create "difficult" passwords.

The output looks like this:

    $ ./ 1
    16422 : 4Dcfpnsfe#
    Don't compare floating point numbers solely for equality.
or if you've chosen the "difficult" version:
    $ ./ 1 d
    55424 : ya8=Ithotmk
    You are in the hall of the mountain king.

The difficult version puts the number, symbol and upper case letter in the middle of the string of letters, rather than at the beginning and end with the simpler version. I suppose the difficult version is slightly more "random" and is better as a result, but there's probably not much difference when it comes to how long it would take to crack it.

Of course, despite the way the passwords look, they're not actually random. So if the cracker knows that you've used a password generator based on the fortune command, they can generate a wordlist based on fortunes and use that in a dictionary attack instead of having to use a brute force attack.

tags: sysadmin 
thu, 24-nov-2005, 10:49

The University has been requring certain departments to sit through a 15 minute presentation on using good passwords. One of the handouts had a chart showing how long it takes to crack passwords by how long they are and how many types of characters they've got in them. I'm interested in the subject because I typically assign passwords to my users when they start work. I wrote a simple program that takes words from the dictionary that are between 9 and 15 letters long, and which don't end in 'ing', 's', or 'ed'. The program then splits the word in the middle somewhere, inserts a random number, a random symbol, and capitalizes one of the following letters in the word.

For example, the script gets the word 'misdirection', inserts a '1' and a '%', and then capitalizes one of the letters in the word. The resulting password is 'misdi1%recTion'.

That password is composed of the letters [a-zA-Z], symbols [!@#$%^&*+=;:?], and numbers [0-9], so the set of characters to search for is 26 + 26 + 13 + 10 = 75. The password is 14 characters long, so the space a brute force attack has to search is 7514 = 1.8 x 1028 which is a huge number.

I did a few experiments with my workstation, which has an AMD Opteron 246 processor inside. Performing a brute force attack requires encrypting all these possible combinations until a match is found. So the type of encryption used is important. My computer can perform about 450,000 encryptions per second if the encryption is the old style DES encryption used on most proprietary Unix platforms. But all of my servers are running Linux, which uses md5 style passwords, and my computer can only do about 3,500 encryptions per second. So 1.8 x 1028 possible passwords / 3,500 encryptions / second means it'll take about 1.6 quadrillion years on my computer to crack it (or half that time on average).

Unfortunately, most passwords aren't cracked using brute force, they're cracked by using a dictionary attack, and since my passwords are generated using a dictionary, that means they're considerably more vulnerable. The question is, does my method of randomly inserting a number and symbol in the middle of a dictionary word (as well as randomly upper casing a letter) defeat a dictionary attack?

I don't know the answer. But I've done some experiments with pathologically bad passwords to see what might happen. On my computer a simple dictionary word is cracked within seconds. And a simple dictionary word with numbers appended (I tried 'barf51') is cracked in two and a half hours. So the jury is still out on my method. But I'll bet that my method isn't as safe as I thought it was at first. It's certainly better than the user that uses her husband's name, the name of the dog, or their license plate number for a password. Most cracking software has information about the typical behavior of users built into it, so it will start by searching the space defined by their username, their domain name, and common names. 'cswingle11' would be a pretty poor choice for me. 'misdi1%recTion' would undoubtably be better.

The only way to really generate passwords is to do it in such a way that there isn't a pattern (like a dictionary word) that the computer can identify and use to reduce the number of combinations the cracking program needs to test. So a better approach to passwords is probably to use a database of common phrases, and pull the first letters from the phrase, insert some random cases, symbols and numbers, and use that. Perhaps the 'fortune' command offers som possibilities here:

    $ fortune -n 80 | head -1
    There is no distinctly native American criminal class except Congress.

So: 'tindnaccec' --> TindnAcceC --> TindnA7#cceC

That's 7512 = 3 x 1022 and because it's effectively random (unless cracking tools learn about the 'fortune' database and how it might be manipulated. . .), it'll take 286 billion years for a computer equivalent to mine to crack this.

Sounds like a Python script in the making.

tags: sysadmin 
tue, 22-nov-2005, 08:43

Earlier today I was reading pragmatik's blog and he mentioned seeing three auto accidents (one fatal) on his way to Baltimore. It's been a subject on my mind recently as a graduate student friend of mine was recently killed in an auto accident. I decided to visit the Statistical Abstract of the United States to look at death and accident rates. Death rate figures appear in Table 102 in the 2004-2005 Abstract. For all Americans, the rates per 100,000 people in 2002 were:

Heart disease240.4
Lower respiratory43.7
Liver disease9.3

(apologies for the formatting of the table. I can't seem to figure out the column formatting stuff.)

That rate of 35.5 people per 100,000 translates into 102,303 people in 2002 that died by accident. The next table in the Abstract (Table 103) breaks these down into smaller categories. For accidents:

AccidentRate / 100,0002002 Count
Motor vehicles15.544,572
Smoke, Fire1.03,024
Firearm discharge0.3813

Fourty-four thousand people is an awful lot to die on our roads in 2002. That's 122 people every day, or a major airline crash a few times a week. There's no further detail on these accidents, but it would be interesting to know in what percentage of cases alcohol was involved, and what percentage of the fatalities weren't wearing their seatbelts.

On a lighter note (sort of), Table 175 shows the Injuries Associated with Consumer Products, shown as estimated emergency room treatments in 2001. A few numbers: 1,087,546 people went to the emergency room after an incident on the stairs, 349,679 people had trouble with a door that was bad enough they had to see a doctor. 118,501 people hurt themselves with their footwear, and 47,210 people were injured by their televisions. Bizzare. I knew television was dangerous, but I never thought I'd have to go to the emergency room because of it!

tags: society 
mon, 21-nov-2005, 18:04
The salmon I smoked yesterday turned out really good.  I vacuum packaged it righ
t after I got back from Chitina back in June, and the fillets were still bright 
red when I pulled them out of the freezer.  I marinated two fillets for half an 
hour in 1/2 cup of pickling salt (and enough water to fill up the ziplock), rins
ed them off, and then marinated them overnight in 1/2 cup pickling salt, 1/2 cup
 brown sugar and 1 tablespoon black pepper.  I smoked them for 3 hours on my cha
rcoal smoker using soaked mesquite chunks for the smoke.  I normally use alder I
 cut from the yard, but it was below zero yesterday and I got lazy and used the 
store-bought mesquite chunks.  I think mesquite gives a more bacony flavor, whil
e the alder has a more resinous, traditional flavor.

BTW, the FoodSaver I used to vacuum package the salmon has been a great purchase
.  The difference between the salmon I froze in ziplock bags the previous summer
 and the salmon that's been vacuum packaged is like, well, grey old salmon vs. b
right red fresh salmon.  I occasionally have a problem where the sealer doesn't 
quite seal the bag, but now I just double-seal each bag and I haven't had an iss
ue since.

tags: food 

Meta Photolog Archives