Top Mud Sites Forum - View Single Post

silvarilon · 06-07-2010, 02:10 AM

Well, yes. But dictionary lists are still just brute force. It's just slightly more intelligent brute force.
As I said, "password" was number 2 of my "automated guess list" - I should have said number 2 of my "dictionary of words to check"
But, also as I said, finding a word in the dictionary as a password was very rare. (But my software didn't do permutations like l33t which may have improved the success rate.)

If we want to talk about "real" password cracking, it'd likely be done with a MIM (man in the middle) attack, or by finding a weakness in the hashing algorithm allowing you to reverse the hash. It is possible, though, to design a system that can't be attacked using either method.

No. That's not good enough. Because it's only letters, the search space for a cracker is significantly lower. And search space matters, whether brute forcing, or attempting to reverse a hash. Adding a bit of l33t to it, however, increases the search space while still avoiding a dictionary attack.

I don't think you need to choose the password randomly. Even just changing the password "horse" into "Horse!" is good enough to increase the search space hugely. And it's much easier to remember.

06-07-2010, 02:10 AM	#5
silvarilon Member Join Date: Dec 2009 Posts: 144	Re: Passwords Well, yes. But dictionary lists are still just brute force. It's just slightly more intelligent brute force. As I said, "password" was number 2 of my "automated guess list" - I should have said number 2 of my "dictionary of words to check" But, also as I said, finding a word in the dictionary as a password was very rare. (But my software didn't do permutations like l33t which may have improved the success rate.) If we want to talk about "real" password cracking, it'd likely be done with a MIM (man in the middle) attack, or by finding a weakness in the hashing algorithm allowing you to reverse the hash. It is possible, though, to design a system that can't be attacked using either method. No. That's not good enough. Because it's only letters, the search space for a cracker is significantly lower. And search space matters, whether brute forcing, or attempting to reverse a hash. Adding a bit of l33t to it, however, increases the search space while still avoiding a dictionary attack. I don't think you need to choose the password randomly. Even just changing the password "horse" into "Horse!" is good enough to increase the search space hugely. And it's much easier to remember.