[Cryptography] Brute-force password crackers?

Tom Mitchell mitch at niftyegg.com
Mon Dec 27 15:17:19 EST 2021

On Sat, Dec 25, 2021 at 6:03 PM Jerry Leichter <leichter at lrw.com> wrote:
>>..... If you have your hands on the device, you can read the sticker on
it, so even a strong, unique default password is known to you - let's hope
the user either changed it (if that's
>>possible!) or removed the sticker.  If you can bypass the OS to read
/etc/shadow, you can modify it as well and create your own
username/password.  (I doubt any IoT
>>devices are capable of this, but there could be a secure boot sequence
that prevents you from changing what's there.  But anyone who implements
that will sign - and probably encrypt - the entire thing.)

Before tossing the sticker back it up someplace safe.
That is likely the password is needed after a physical reset.
Also backup the settings hopefully the device makes that easy.
If a default password is lost there is a denial of service bricked-it
option for the bad guys.

Yes, change the password.
   Are there better tools than apg.
  apg "generates several random passwords. It uses several password
generation algorithms (currently two)"
   If you suspect generated passwords are guessable, grab some physical
dice to chop generated passwords into 1-6 char chunks.


          T o m    M i t c h e l l  (on NiftyEgg[.]com )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20211227/ab7ec767/attachment.htm>

More information about the cryptography mailing list