[svlug] crack

Dagmar d'Surreal dagmar at dsurreal.org
Fri Feb 9 17:07:07 PST 2001

Previous message: [svlug] crack
Next message: [svlug] crack
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 9 Feb 2001, Marc MERLIN wrote:

> On Fri, Feb 09, 2001 at 04:42:22PM -0800, Dagmar d'Surreal wrote:
> > > > Since you're apparently taking the approach that shadowing is useless,
> > > > please define "crackable".
> > >  
> > > Crackable is  something _I_  can crack  in a few  days or  a few  weeks with
> > > Crack/JDR/whatever.
> > 
> > Tried to brute force properly chosen passwords lately?
>  
> I  never said  I could. 
> My point all  along is that all the users  should properly chosen passwords,
> whether you use shadow passwords or not.
> 
> The reason I  underlined "I" is because there are  passwords that I couldn't
> crack, but that the NSA probably could.

*chuckle* The NSA doesn't need to crack your passwords.  If they want into
your stuff, you and it will simply disappear in the middle of the
night.  (Key abduction attack  ;) )
  
> > > You send the  hashed password to LDAP server, it  says "matches" or "doesn't
> > > match". You never get to see any of  the hashed passwords on the LDAP server
> > > (at least that's my understanding)
> > 
> > Pretty interesting.  Hash goes across the wire in the clear then does it?
>  
> LDAP connections can be made over SSL. 
> If they're not,  then yes, it's in  the clear, which means that  if you also
> have a broadcast  network (instead of a switched one,  like hopefully mostly
> everyone does by now), someone could be sniffing hashes one per one.

Shucks!  I was hoping you'd admit to running LDAP in the clear.  For those
in the peanut gallery, switched segments don't offer much protection
against someone who has learned their ugly little secrets.

> > > Sure,  but one  shouldn't be  saying  "I don't  need  to run  crack or  have
> > > cracklib linked to passwd since I have shadow passwords"
> > 
> > Did I say that?
>  
> No,  hence  the use  of  "one"  which was  supposed  to  make it  a  general
> statement.
>  
> > > Trimming quotes and signatures would help a bit too.
> 
> Sigh, I guess I'll have to trim them for both you and me then...

I trimmed 'em.  ;)  I just didn't have anything to say other than my act
of trimming that time.

Previous message: [svlug] crack
Next message: [svlug] crack
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list