Password Cracking Programs -- How useful?

Password Cracking Programs -- How useful?

Post by G.A. Kohri » Fri, 23 Aug 1996 04:00:00



Hi,

I've a question about the usefulness of password cracking programs.
One of the system administrators at a supercomputing center where we
run our programs has the Crack software continuously running in
background on a supercomputer.  We've complained that this is simply
eating up valuable supercomputer time and he counters that it is
absolutely essential for maintaing the security of the supercomputing
center. (Note: There is no military research being done at this site and
very little industrial research.)

Now, I'm just a normal user and do not know much about computer security.
So, can someone explain to me whether or not this is a normal procedure
at supercomputer centers?  Does this really increase the security level?
If someone were to crack the password of a normal user, would this pose
more than a local problem? (I realize that if the root password were
cracked you could have serious problems.) How do other computer centers
deal with the problem of users using easy to crack passwords?

Also, if anyone has experience with the Crack software -- about how much
cpu-time would be needed to check 2,000 passwords? How often do normal
system administrators run the Crack software?

Thanks for any help!

-- Greg

 
 
 

Password Cracking Programs -- How useful?

Post by Dave Sil » Fri, 23 Aug 1996 04:00:00



> Now, I'm just a normal user and do not know much about computer security.
> So, can someone explain to me whether or not this is a normal procedure
> at supercomputer centers?

No, it's not. But that doesn't necessarily mean it's a bad idea,
either.

Quote:> Does this really increase the security level?

Yes, but it's not terribly effective, and is at best one small part of
complete security program. Replacing the standard passwd program with
one that prevents users from choosing crackable passwords is much more
effective. Even better are single-use passwords like S/Key, opie,
SecurID, etc. But at least with a proactive passwd program (like
anlpasswd), you really only need only need to run crack once.

Quote:> If someone were to crack the password of a normal user, would this pose
> more than a local problem?

Potentially. There are lots of security holes that require local
access to exploit, and one normal user's cracked account can be just
the toehold they need to launch a major attack.

Quote:> How do other computer centers
> deal with the problem of users using easy to crack passwords?

Some do nothing. Some run crack. Some install proactive passwd
programs. Some use generated passwords. Some use single-use
passwords. Some use hybrid approaches like reusable passwords for
local access, single-use passwords for remote access.

Quote:> Also, if anyone has experience with the Crack software -- about how much
> cpu-time would be needed to check 2,000 passwords?

Lots. Hours and hours. Depends on the CPU, the size of the crack
dictionary, and the number of crack rules. I usually run it niced to
19 (the lowest priority possible) so it minimizes impact on real
users.

Quote:> How often do normal system administrators run the Crack software?

Once a month at most.

--

Lockheed Martin Energy Systems, Oak Ridge National Lab, Workstation Support

 
 
 

Password Cracking Programs -- How useful?

Post by Lance Caven » Fri, 23 Aug 1996 04:00:00


On stardate 22 Aug 1996 10:34:43 GMT,


>Hi,
>I've a question about the usefulness of password cracking programs.
>One of the system administrators at a supercomputing center where we
>run our programs has the Crack software continuously running in
>background on a supercomputer.  We've complained that this is simply
>eating up valuable supercomputer time and he counters that it is
>absolutely essential for maintaing the security of the supercomputing
>center. (Note: There is no military research being done at this site and
>very little industrial research.)
>Now, I'm just a normal user and do not know much about computer security.
>So, can someone explain to me whether or not this is a normal procedure
>at supercomputer centers?  Does this really increase the security level?
>If someone were to crack the password of a normal user, would this pose
>more than a local problem? (I realize that if the root password were
>cracked you could have serious problems.) How do other computer centers
>deal with the problem of users using easy to crack passwords?

 Continously?! Anyway, I find them useless. All my users's passwords
expire every 30 days, and that is good enough for me. Also, my adduser
script makes the user have a password like xXxx1111 AND all the
passwords are shadowed. I find this adequate protection againsed
hackers (via crakers like CJ anyway).

--
,..............................................,
|               Lance Cavener                  |


`----------------------------------------------'
|  "The Apple Macintosh is for people who get  |
|   confused with more than 1 mouse button"    |
|               Former lead programmer of OS/2 |
`----------------------------------------------'

 
 
 

Password Cracking Programs -- How useful?

Post by a.. » Fri, 23 Aug 1996 04:00:00


:
: Hi,
:
: I've a question about the usefulness of password cracking programs.
: One of the system administrators at a supercomputing center where we
: run our programs has the Crack software continuously running in
: background on a supercomputer.  We've complained that this is simply
: eating up valuable supercomputer time and he counters that it is
: absolutely essential for maintaing the security of the supercomputing
: center. (Note: There is no military research being done at this site and
: very little industrial research.)

It's important enough that he can use the CPU cycles to do it.

: Now, I'm just a normal user and do not know much about computer security.
: So, can someone explain to me whether or not this is a normal procedure
: at supercomputer centers?  Does this really increase the security level?
: If someone were to crack the password of a normal user, would this pose
: more than a local problem? (I realize that if the root password were
: cracked you could have serious problems.) How do other computer centers
: deal with the problem of users using easy to crack passwords?

Let's just say this. Hacking root usually pretty simple once you get INTO a machine. There are allways new bugs that CERT doesn't
know about (Believe me, there are a LOT) and even then, not everybody fixes holes.

So, the best thing to do is keep people out of your system.

That involves keeping stupid passwords out of you pwd file.

This involves running crack.

: Also, if anyone has experience with the Crack software -- about how much
: cpu-time would be needed to check 2,000 passwords? How often do normal
: system administrators run the Crack software?

Not to long to check 2k passwords, but it depends on how big your dict file is. I run crack once every 2 weeks or so.

Andy Dills

 
 
 

Password Cracking Programs -- How useful?

Post by Simple Nom » Sat, 24 Aug 1996 04:00:00



Quote:>I've a question about the usefulness of password cracking programs.
>One of the system administrators at a supercomputing center where we
>run our programs has the Crack software continuously running in
>background on a supercomputer.  We've complained that this is simply
>eating up valuable supercomputer time and he counters that it is
>absolutely essential for maintaing the security of the supercomputing
>center. (Note: There is no military research being done at this site and
>very little industrial research.)

Just because it's not military or research doesn't make it less of a
target.

Quote:>Now, I'm just a normal user and do not know much about computer security.
>So, can someone explain to me whether or not this is a normal procedure
>at supercomputer centers?  Does this really increase the security level?

Most problems are passwords, so this HELPS. Something that checks
passwords on the front end (like during a password change) should be
used (although it may be). No this is not typical for large shops.

Quote:>If someone were to crack the password of a normal user, would this pose
>more than a local problem? (I realize that if the root password were
>cracked you could have serious problems.) How do other computer centers
>deal with the problem of users using easy to crack passwords?

By not allowing certain passwords you are doing a good thing. User
education and a well written security policy help explain things a bit
better, and make users accept things more. If you explain the risks,
users are a little more understanding.

Quote:>Also, if anyone has experience with the Crack software -- about how much
>cpu-time would be needed to check 2,000 passwords? How often do normal
>system administrators run the Crack software?

Well, if I had access to a supercomputer, you'd better hope I was
honest enough NOT be be checking other sites' passwd files ;-)

Considering the sizes of word lists and permutations you could go on
forever. But typically security conscious admins vary the frequency
at which they run Crack, but at least once a month...

--
Simple Nomad - Data Wanderer, Knowledge Hunter/Gatherer

     URL     - http://www.fastlane.net/homepages/thegnome
   Secrets   - FE DF F5 C5 6B D0 98 EA  ED 7C CD 98 E5 AF 63 21

 
 
 

Password Cracking Programs -- How useful?

Post by Bernd Eckenfe » Sat, 24 Aug 1996 04:00:00


: >I've a question about the usefulness of password cracking programs.
: >One of the system administrators at a supercomputing center where we
: >run our programs has the Crack software continuously running in
: >background on a supercomputer.

Actually cracking is not realy a job for an supercomputer (except it is a
parrallel system wth lots of cpus).

: Most problems are passwords, so this HELPS. Something that checks
: passwords on the front end (like during a password change) should be
: used (although it may be). No this is not typical for large shops.

There is a passwd replacement which runs crack on the unencrypted password
(which is much faster) just to be sure the passwoerd is safe enough. This is
much more inteligent than trying to crack the password afterwards :)

: >If someone were to crack the password of a normal user, would this pose
: >more than a local problem?

Well. Yes. Thge hacker can use the account as a base for further hacking.
She can snoopsensible informations of the user to gain further access to
other systems. The hacker can steal expensive computing and io resources or
net bandwith. He can even store highly illegal material on the hacked
account and run FTP/FSF servers (consider child*).

: Well, if I had access to a supercomputer, you'd better hope I was
: honest enough NOT be be checking other sites' passwd files ;-)

A pool with workstations (even a bunch of pentiums) is as powerfull in
cracking passwords as you would expect from a 1/4 million dollar system.

Greetings
Bernd
--



(O____O)       If privacy is outlawed only Outlaws have privacy

 
 
 

Password Cracking Programs -- How useful?

Post by Duncan Gibs » Sat, 24 Aug 1996 04:00:00



>Also, if anyone has experience with the Crack software -- about how much
>cpu-time would be needed to check 2,000 passwords? How often do normal
>system administrators run the Crack software?

We run Crack on a regular basis, and have found that no matter how
often we tell our users that passwords should not be simple words,
they still keep setting 'easy' passwords. The guy who installed the
Crack system here set up a huge word list from a lot of dictionaries,
and not just English ones either. Where he got these dictionaries I
do not know.

When we add a new dictionary we can run Crack on the whole password
file, but we haven't needed to add a new dictionary for a long while.
For normal use we maintain a copy of the previous password file entries
and generate a 'diff' listing so that we only need to run Crack on those
entries which have changed. This is a substantial time saving when it
takes a couple of hours for Crack to apply the full set of rules to the
dictionary for each password.

I agree with the other poster that it would be better to force people
to choose a better password in the first place, but if you make a rule
that all passwords have to contain a digit or punctuation then we have
found that users simple use a simple work with a digit or other character
appended to it. This gets round the rule, but unfortunately is still
quite crackable. You can't really build  Crack's full ruleset and
dictionary into the password setting program because it would simply
take too long.

If Crack guesses a user's password, then we stand over him/her until
they change it and the following weekend it will appear in the list
of changed passwords so Crack will have another go at it. Therefore
we only have a window of a day or two when the original password was
known [to us] and crackable by outsiders and only a few days of
uncertainty while we wait for the new password to be cracked.

And just because you might sit behind a firewall and think that you are
safe from attack you shouldn't get complacent. I have worked with several
people in the past who I wouldn't trust further than I could comfortably
spit a rat, to use Douglas Adam's phrase. And as for student pranksters...

Cheers
Duncan

This is my article, not my employer's, with my opinions and my disclaimer!
--
Duncan Gibson, ESTEC/YCV, Postbus 299, 2200AG Noordwijk, The Netherlands

 
 
 

Password Cracking Programs -- How useful?

Post by Bill Tott » Sat, 24 Aug 1996 04:00:00





>>Also, if anyone has experience with the Crack software -- about how much
>>cpu-time would be needed to check 2,000 passwords? How often do normal
>>system administrators run the Crack software?
 <...>
>I agree with the other poster that it would be better to force people
>to choose a better password in the first place, but if you make a rule
>that all passwords have to contain a digit or punctuation then we have
>found that users simple use a simple work with a digit or other character
>appended to it. This gets round the rule, but unfortunately is still
>quite crackable. You can't really build  Crack's full ruleset and
>dictionary into the password setting program because it would simply

 <...>

  Crack is not the best solution.  Having your passwd program check to see
if the password is good before allowing it to be let in.  The passwd program
on my Linux box does this. There is also a copy of a perl script in the
book "Programming Perl" by ora which claims to do this very well.  You could
probably modify your crack program to run on an individual basis if you
needed to as well.

  By taking this route you neutrolize the problem before it develops.
You should also keep from running the Crack program all the time.  Of course,
this may not work depending on how your system is set up.  This type
of checking would be difficult to implement here at my University, but
it might not be that hard for you.  Although Crack on my Universities
computing systems would not be fun either, there are over 5,000 active
accounts.

  I hope some of this will be usefull.

--
Totten, William David (Bill)       CIS Major & Student Computing Consultant


http://www.ecl.udel.edu/~totten       LINUX: The Choice of a GNU Generation

 
 
 

Password Cracking Programs -- How useful?

Post by William Unr » Sat, 24 Aug 1996 04:00:00



Quote:>I agree with the other poster that it would be better to force people
>to choose a better password in the first place, but if you make a rule
>that all passwords have to contain a digit or punctuation then we have
>found that users simple use a simple work with a digit or other character
>appended to it. This gets round the rule, but unfortunately is still
>quite crackable. You can't really build  Crack's full ruleset and
>dictionary into the password setting program because it would simply
>take too long.

Sorry- not true. Remember that the password setting program KNOWS what
the password is (the user typed it in!) Running a test on a known
password is far far easier than cracking it. In fact, Moffat wrote a
whole suite of library routines (Cracklib) to do just that. I have
instituted it into out password routines, and it takes about a second
(on a Sparc10) to check the password against a far larger set of rules
than Crack could ever handle in a reasonable time.(eg, nothing that
looks like a car or truck license number or a telephone number)

--
Bill Unruh

 
 
 

Password Cracking Programs -- How useful?

Post by Duncan Gibs » Tue, 27 Aug 1996 04:00:00


: You can't really build  Crack's full ruleset and dictionary into the
: password setting program because it would simply take too long.


Quote:>Sorry- not true. Remember that the password setting program KNOWS what
>the password is (the user typed it in!) Running a test on a known
>password is far far easier than cracking it. In fact, Moffat wrote a
>whole suite of library routines (Cracklib) to do just that. I have
>instituted it into out password routines, and it takes about a second
>(on a Sparc10) to check the password against a far larger set of rules
>than Crack could ever handle in a reasonable time.(eg, nothing that
>looks like a car or truck license number or a telephone number)

Yes, of course, you are absolutely right. I obviously had a brain-fade.
When you set the password you have it in plain text, and therefore you
don't have the overhead of encrypting the whole dictionary * rules set
before you compare.

Cheers
Duncan

This is my article, not my employer's, with my opinions and my disclaimer!
--
Duncan Gibson, ESTEC/YCV, Postbus 299, 2200AG Noordwijk, The Netherlands

 
 
 

Password Cracking Programs -- How useful?

Post by Tim Hoga » Fri, 30 Aug 1996 04:00:00



: : >I've a question about the usefulness of password cracking programs.
: : >One of the system administrators at a supercomputing center where we
: : >run our programs has the Crack software continuously running in
: : >background on a supercomputer.

: Actually cracking is not realy a job for an supercomputer (except it is a
: parrallel system wth lots of cpus).

Running crack at that system seems to be a waste of good CPU time.

If one is interested in cracking unix password, build some hardware to
do it.  Some of the off the shelf FPGA's can do the crypt routines and
one password every 100ns give 10,000,000 a second.  That turns it into
a 200,000 hr project for one $70 chip if you want to try all passwords.
Give up on things people are not likey to type and it is real easy (but
takes more hardware).

: : Most problems are passwords, so this HELPS. Something that checks
: : passwords on the front end (like during a password change) should be
: : used (although it may be). No this is not typical for large shops.

: There is a passwd replacement which runs crack on the unencrypted password
: (which is much faster) just to be sure the passwoerd is safe enough. This is
: much more inteligent than trying to crack the password afterwards :)

If the password checker is too strict, it will end up with all passwords
being written down which is a real security threat.  If the password
checker is less strict (say it lets you use car tags) then there is a
change that the passwords won't be written down (thus being more secure
in the real world) but guessable (only likly in some sysadm's minds).
I don't think users should be allowed to select "password" for their
password but I know systems that don't tell you the password rules
far enough in advance to let a user think, are serioulsy broken.

Another easy solution is change the crypto string.  Have /bin/passwd
and login encrypt soemthing other than 8 mulls.  It works and
makes you /etc/passwd non-portable.  It's security through obscurity
but isn't that was passwords are all about in the first place?  When
your counting on a weak system, more levels might help.

: : Well, if I had access to a supercomputer, you'd better hope I was
: : honest enough NOT be be checking other sites' passwd files ;-)
This would be my first concern.  If you have a sysadm that is using
resource to crack other systems password files, you might not want
them working security at your location.

-tim