[Cryptography] Brute-force password crackers?

Henry Baker hbaker1 at pipeline.com
Mon Dec 27 16:17:57 EST 2021 

 
-----Original Message-----
From: Tom Mitchell 
Sent: Dec 27, 2021 12:17 PM
To: Jerry Leichter 
Cc: Henry Baker , Crypto 
Subject: Re: [Cryptography] Brute-force password crackers?
 

On Sat, Dec 25, 2021 at 6:03 PM Jerry Leichter  wrote:>>..... If you have your hands on the device, you can read the sticker on it, so even a strong, unique default password is known to you - let's hope the user either changed it (if that's
>>possible!) or removed the sticker.  If you can bypass the OS to read /etc/shadow, you can modify it as well and create your own username/password.  (I doubt any IoT 
>>devices are capable of this, but there could be a secure boot sequence that prevents you from changing what's there.  But anyone who implements that will sign - and probably encrypt - the entire thing.)

Before tossing the sticker back it up someplace safe.
That is likely the password is needed after a physical reset.
Also backup the settings hopefully the device makes that easy.
If a default password is lost there is a denial of service bricked-it option for the bad guys. 

Yes, change the password.
   Are there better tools than apg.
  apg "generates several random passwords. It uses several password generation algorithms (currently two)"
   If you suspect generated passwords are guessable, grab some physical dice to chop generated passwords into 1-6 char chunks.


-- 

          T o m    M i t c h e l l  (on NiftyEgg[.]com )


---
OK, we have databases of >10^6 passwords, so we can easily compute distributions for graphs, digraphs, trigraphs, etc.
 
So a 'random' password is potentially guessed more quickly than a 'non-random' password which utilizes these distributions for pessimizing guessability.
 
In particular, shouldn't password generators make sure that passwords utilize less-frequently used characters -- e.g.,the 'long tail' ?  It should certainly reject the very rare cases of all digits, etc.
 
While these passwords may not be easy to type -- e.g., Unicode -- this may not make much difference with keepass-type programs.
 
Nicht wahr?
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20211227/39dc432c/attachment.htm>

More information about the cryptography mailing list