Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Should I care if "John" finds my password.

  1. #1

    Should I care if "John" finds my password.

    Still learning to use Linux, just for a laugh I tried the John program on /etc/shadow and in 41 seconds it showed my password on the screen. So for a moment I thought "OMG My Passord Is Teh Suxxor" but then I thought, who the hell cares?
    A real attacker wouldn't be able to get at the password file unless they already had root access, in which case they wouldn't bother with my password would they?
    \"Some say they go looking for Drugs, Dirty Dancing and Pounding, Pounding Techno Music.\"
    *ahem* contact me

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    These are my personal views:

    1. That is what John the Ripper is supposed to do.
    2. I would not assume that your password file cannot be accessed without root. Or that root cannot be remotely obtained on your system.
    3. 41 Seconds isn't very long. You might consider using a longer and stronger password.
    4. Don't assume that someone is not interested in your password. Some things you can really only hope to reset it, but that is a dead giveaway that a compromise has occurred. So, to raise as little suspicion as possible you may want to find and use the existing one?

    To make a long password that is easily remembered:

    1. Pick a seed: "PaSsWoRd" then pack it out:

    2. €0987654321"PaSsWoRd"?><MNBVCXZ|£

    I would imagine that would take a little while?..............the packing is just the top and bottom rows of the keyboard.

    You may like to try that method to see how effective it is? I must admit that I have not tried the latest tools

  3. #3
    Disgruntled Postal Worker fourdc's Avatar
    Join Date
    Jul 2002
    Location
    Vermont, USA
    Posts
    797
    Nihil,

    great idea on the "packing". I'd been doing variations on upper/lower case, subbing numbers for letters (l337). But packing is a great idea.
    ddddc

    "Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yes, you should absolutely care. There have been more than a handful of directory traversal exploits out there over the years, many of which gave you access to the shadow PW file as well as many other "protected" areas of the file system. In fact, just a few weeks back, I found one in a very well respected product.

    Do yourself a favor, especially if you're going to expose that host to the internet, follow security best practices. Good passwords are the foundation to good security.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Quote Originally Posted by nihil
    4. Don't assume that someone is not interested in your password.
    I wasn't, I was just assuming that if someone had already compromised my system that far, they wouldn't need my password. But I guess I was wrong...
    Quote Originally Posted by thehorse13
    There have been more than a handful of directory traversal exploits out there over the years, many of which gave you access to the shadow PW file as well as many other "protected" areas of the file system.
    I guess that's what I wanted to know. Thanks all, I guess it's time for me to get a new password.
    \"Some say they go looking for Drugs, Dirty Dancing and Pounding, Pounding Techno Music.\"
    *ahem* contact me

  6. #6
    i remember an incident with a client i had where some one got his gmail password. It was his personal account and he was aware. Doesnt seem like much just a seldom used personal email account. Howerver the attacker searched it and retrived passwords and documents descripbing how this guys bussiness was set up. From there he was able to gain full access to their networks.My point is you should protect all your passwords. Maby try a pass phrase such as "this is my password" that right there is easy to remember and is 18 characters. at 18^26th power that leads to a pretty large number and a bit of time to brute force.
    ...."Cant stop the signal Mel, Every thing goes some where and i go every where."...... "From here to the eyes and the ears of the verse, thats my motto or might be if i start having a motto" - Mr. Universe "Serenity"

  7. #7
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    It's still all lower case standard letters.

    http://www.cs.umd.edu/faq/Passwords.shtml
    When death sleeps it dreams of you...

  8. #8
    Agony Aunty-Online Moira's Avatar
    Join Date
    Jun 2003
    Posts
    1,063
    Quote Originally Posted by fourdc
    Nihil,
    I'd been doing variations on upper/lower case, subbing numbers for letters (l337).
    Most programs that search for passwords would routinely try replacing e's with 3s and a's with 4s etc - turning your password into leetspeak isn't really protecting it very much. Not sure about the packing .... I guess if you could make your own individual packing round a word and remember the sequence it would be a lot stronger.
    77 111 105 114 97

    My PGP signature

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yes, a "good quality" dictionary will contain leetspeak and known "default" passwords as well.

    If it is brute force/rainbow tables then it isn't looking for words anyway.

  10. #10
    Senior Member
    Join Date
    Feb 2004
    Location
    Near Manchester (England)
    Posts
    145
    I like to use the <alt> key and the number pad to generate characters in my password.

    Damn! My secret's out now! lol
    Tomorrow is another day for yesterdays work!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •