[dba-Tech] Check password strength

Mark Breen marklbreen at gmail.com
Mon Jul 23 03:32:27 CDT 2012


Hi Arthur,

thanks for the email, we need more linux posts here on dba-Tech.  After
all,  it is the OS of the future  it is the OS of the present ;)

There was another site posted here about a year ago and it allowed us to
type in a password and it would tell us how long it would take to
bruteforce that password.  They provided three metrics, Online Attack
Scenario, Offline Fast Attack Scenario and a Massive Cracking Array
Scenario.

What the site really demonstrated was that the longer the password the
better, complexity helped, but password length trumped complexity.

Complex passwords almost always have to be stored in a secure tool, which
itself must be password protected and managed securely.

With that in mind, I have started to move towards simpler but longer
passwords.  My assumption is they are too strong to be bruteforced or
guessed, no dictionary attack is likely to find a match, and the user does
not have to write them done.  My longer passwords also have one added
benefit, they are easy to type in.

samples of easy to remember, easy to type are

accessdbmwmotorcycles
sausagesandbicycles
ilovetotravel
arthurandraspberryaregreat

You see that these are impossible to bruteforce, (according to the tool we
played with last year).  Impossible to dictionary attack.  Easy to type,
easy to remember.

I used to work with an old carpenter that did not like aluminium ladders,
he only liked to work on wooden ladders.  He always said "they fella that
invented those ladders should be made walk up and down one for a day and
see how he likes it".

I have a colleague that regularly assigns me passwords.  I silently take
them, but every time he gives me a password I think "the fella that makes
them up should be made type them in - and remember them - for a month and
see how he likes them".

Here are the links that someone posted last august


https://www.grc.com/haystack.htm


http://xkcd.com/936/

First one is serious and the second is funny, but the first one is really
interesting.

Here is a snip from the first link.

{
The main concept can be understood by answering this question:

Which of the following two passwords is stronger,
more secure, and more difficult to crack?

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the
fact that the first password is HUGELY easier to use and more memorable, it
is also the stronger of the two! In fact, since it is one character longer
and contains uppercase, lowercase, a number and special characters, that
first password would take an attacker approximately 95 times longer to find
by searching than the second impossible-to-remember-or-type password!
}

Thanks

Mark



On 23 July 2012 02:59, Arthur Fuller <fuller.artful at gmail.com> wrote:

> I lifted the following snippet from nixCraft:
>
> Granted, it's intended for Linux, but I think most of us have a Linux VM
> handy, if for nothing else but occasional experimentation You can always
> flip to Linux to test out your various passwords:
>
> HowTo: Linux Check Password Strength With Cracklib-check
> Command<http://www.cyberciti.biz/security/linux-password-strength-checker/
> >
>
> Using the same password on different servers allows attackers to access
> your accounts if cracker manage to steal your password from a less secure
> server. This is true for online website accounts too. So solution is to
> create unique passwords for server accounts like your email, sftp and ssh
> accounts. General guideline to create a strong and unique password is as
> follows:
>
>    1. Create a password with mix of numbers, special symbols, and
> alphabets.
>    2. Make sure your password is hard to guess. You can use tool such as
>    makepasswd <http://www.cyberciti.biz/faq/generating-random-password/>
> to
>    create hard to guess password.
>    3. Do not use simple words like "password", "123456", "123abc" or
>    "qwerty".
>    4. Use a unique password for all your server accounts.
>    5. A minimum password length of 12 to 14 characters should be used. See
>    how to configure CentOS / RHEL / Fedora Linux based
> server<
> http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-password-quality-control/
> >
> password
>    quality requirements.
>    6. Generating passwords randomly where feasible. You can do this with a
>    simple shell
> script<http://www.cyberciti.biz/faq/linux-random-password-generator/>
>    function.
>    7. If possible use two-factor authentication.
>    8. Use pam_crack to ensure strong
> passwords<
> http://www.cyberciti.biz/tips/linux-check-passwords-against-a-dictionary-attack.html
> >
> and
>    to check passwords against a dictionary attack.
>
> But, how do you test the effectiveness of a password in resisting guessing
> and brute-force attacks under Linux? The answer is simple use
> cracklib-check command.
> Say hello to cracklib-check
>
> This command takes a list of passwords from keyboard
> (stdin<http://bash.cyberciti.biz/guide/Input_and_Output>)
> and checks them using libcrack2. The idea is simple: try to prevent users
> from choosing passwords that could be guessed by "crack" by filtering them
> out, at source.
> Examples
>
> Test a simple password like "password", enter:
> $ echo "password" | cracklib-check
> Sample outputs:
>
> password: it is based on a dictionary word
>
> Try sequential patterns such as "abc123456":
> $ echo "abc123456" | cracklib-check
> Sample outputs:
>
> abc123456: it is too simplistic/systematic
>
> Try a password with a mix of letters, numbers, and symbols:
> $ echo 'i1oVe|DiZza' | cracklib-check
> Sample outputs:
>
> i1oVe|DiZza: OK
>
> The above password increases the difficulty of guessing or cracking your
> password. I used a random phrase (easy to remember) "I Love Pizza" and
> inserted random characters to create hard a strong password -
> "i1oVe|DiZza".
> Putting it all together
>
>  #!/bin/bash# A sample shell script to add user to the system# Check
> password for strength # Written by Vivek Gite under GPL v2.x+#
> ----------------------------------------------read -p "Enter username
> : " userread -sp "Enter password : " passwordechoecho "Tesing password
> strength..."echoresult="$(cracklib-check <<<"$password")"# okay awk is
>  bad choice but this is a demo okay="$(awk -F': ' '{ print $2}'
> <<<"$result")"if [[ "$okay" == "OK" ]]then
>         echo "Adding a user account please wait..."
>         /sbin/useradd -m -s /bin/bash $user
>         echo "$user:$password" | /sbin/chpasswdelse
>         echo "Your password was rejected - $result"
>         echo "Try again."fi
>
>
> Hope this helps someone.
> --
> Arthur
> Cell: 647.710.1314
>
> Prediction is difficult, especially of the future.
>   -- Niels Bohr
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>


More information about the dba-Tech mailing list