PASSWORD GUESSING

Jeff Medcalf jeffm at uokmax.UUCP
Wed Aug 23 05:56:39 AEST 1989


(Taken from many different articles...)
>>|       The advice I see most often, and use myself is to simply pick
>>|   two unrelated words that are seperated by a symbol, with the entire
>>|   password being seven or eight charectors in length.  Care to figure
>>|   what the odds are of a hacker breaking it ? 
>
>I'd say its a virtual certainty any good programmer could break that
>system in a very small amount of time.
>
>A few questions crop up - how many three or four letter words are
>there, versus possible three or four letter combinations of letters.
>Next, how many special symbols are there.
>
>The answer should be a small enough number for my PC to get it over
>one or two nights of crunching.

The problem is that you assume that you KNOW that this is the scheme being used.
In actuality, a true password breaking program would require checking:

	1)  the words in /usr/dict/words
	2)  the username
	3)  the user id (ex: uid41 in my case, or just 41, or uid 41, etc.)

In effect, your best bet is to start checking each single character, then each
character pair, then each three, etc.  You could send several long documents
through a program to generate letter pair and triple frequencies, then check
them in order of frequency.  In effect, you really *would* need to run a good
mainframe in single-user mode for a few weeks to be assured of breaking a 
password.


Disclaimer:  You can always use ^K.  Flames > /dev/null
jeffm at uokmax.UUCP	| What do you mean "segmentation fault?"
Jeff Medcalf		| Phasers on deep baste!



More information about the Comp.unix.wizards mailing list