Printable View
Still learning to use Linux, just for a laugh I tried the John program on /etc/shadow and in 41 seconds it showed my password on the screen. So for a moment I thought "OMG My Passord Is Teh Suxxor" but then I thought, who the hell cares?
A real attacker wouldn't be able to get at the password file unless they already had root access, in which case they wouldn't bother with my password would they?
These are my personal views:
1. That is what John the Ripper is supposed to do.
2. I would not assume that your password file cannot be accessed without root. Or that root cannot be remotely obtained on your system.
3. 41 Seconds isn't very long. You might consider using a longer and stronger password.
4. Don't assume that someone is not interested in your password. Some things you can really only hope to reset it, but that is a dead giveaway that a compromise has occurred. So, to raise as little suspicion as possible you may want to find and use the existing one?
To make a long password that is easily remembered:
1. Pick a seed: "PaSsWoRd" then pack it out:
2. €0987654321"PaSsWoRd"?><MNBVCXZ|£
I would imagine that would take a little while?..............the packing is just the top and bottom rows of the keyboard.
You may like to try that method to see how effective it is? I must admit that I have not tried the latest tools ;)
Nihil,
great idea on the "packing". I'd been doing variations on upper/lower case, subbing numbers for letters (l337). But packing is a great idea.
Yes, you should absolutely care. There have been more than a handful of directory traversal exploits out there over the years, many of which gave you access to the shadow PW file as well as many other "protected" areas of the file system. In fact, just a few weeks back, I found one in a very well respected product.
Do yourself a favor, especially if you're going to expose that host to the internet, follow security best practices. Good passwords are the foundation to good security.
--TH13
I wasn't, I was just assuming that if someone had already compromised my system that far, they wouldn't need my password. But I guess I was wrong...Quote:
Originally Posted by nihil
I guess that's what I wanted to know. Thanks all, I guess it's time for me to get a new password.Quote:
Originally Posted by thehorse13
i remember an incident with a client i had where some one got his gmail password. It was his personal account and he was aware. Doesnt seem like much just a seldom used personal email account. Howerver the attacker searched it and retrived passwords and documents descripbing how this guys bussiness was set up. From there he was able to gain full access to their networks.My point is you should protect all your passwords. Maby try a pass phrase such as "this is my password" that right there is easy to remember and is 18 characters. at 18^26th power that leads to a pretty large number and a bit of time to brute force.
It's still all lower case standard letters.
http://www.cs.umd.edu/faq/Passwords.shtml
Most programs that search for passwords would routinely try replacing e's with 3s and a's with 4s etc - turning your password into leetspeak isn't really protecting it very much. Not sure about the packing .... I guess if you could make your own individual packing round a word and remember the sequence it would be a lot stronger.Quote:
Originally Posted by fourdc
Yes, a "good quality" dictionary will contain leetspeak and known "default" passwords as well.
If it is brute force/rainbow tables then it isn't looking for words anyway.
I like to use the <alt> key and the number pad to generate characters in my password.
Damn! My secret's out now! lol
Ah! the ASCII character set........................ need to be a bit careful there, as a lot of systems have "illegal/reserved" characters.
And some (not mentioning any names) will accept the creation of an illegal password and then not let you log in with it :D
Mind you, if you can include the ASCII set, you greatly increase the possibilities and hence the difficulty of a successful crack.
You are, of course, quite right to point out that I'm not always able to use obscure ascii characters in my passwords, nihil. My apologies if I was misleading, that wasn't my intention, just posting too fast, i.e. not thinking! lol
I do like to use obscure characters in passwords wherever possible as it adds to their strength.
I hope I have added just a little value to the topic. Heh heh.
I had a buddy who someone got into his machine. He formatted like a good boy should they put it back on the net with ssh open. Guess who came back a second time and had the keys for the front door.
If you get p0wned by someone who has time and energy chances are they will at least come back for a second look around some time.
p.s. I always use a fake email address with upper and lower cases. i.e. [email protected] because its easy to remember and uses lots of stuff.... but then again my memory is crappy.
:)
ya, i find that that system works really well for me. i usually use phrases that have to do with something important to me, like a family member, girlfriend, most commonly God, etc. it makes it easy and can get pretty long. i also mix in the ascii set that simple simon was talking about and a few of my favorite numbers in various positions of the password. i have a terrible memory too, so i standardized my passwords a lil so i use some of them in a lot of places depending on how public they are and what data im securing with em and then i made myself a master list (hard copy under my printer in my bedroom, as long as no one from AO is looking through my window i think im good :P ) so i wont forget. all just my 2 cents on passwordsQuote:
Originally Posted by ech0
I usually use a looooong passphrase for my critical passwords. Something like, "I have an Alienware Area 51 computer" and remove the spaces. So my password in this instance would be, "IhaveanAlienwareArea51computer", which is a pretty strond password. I usually use my mobile phone model number, my laptop model number etc., in the phrase.
Cheers,
cgkanchi
PS: I do not have an Alienware computer, though I'd love to :D
You could always add salt :)