From owner-freebsd-questions Mon Dec 23 15: 5: 7 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DB0837B401 for ; Mon, 23 Dec 2002 15:05:05 -0800 (PST) Received: from colossus.systems.pipex.net (colossus.systems.pipex.net [62.241.160.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id C315343EDE for ; Mon, 23 Dec 2002 15:05:04 -0800 (PST) (envelope-from stacey@vickiandstacey.com) Received: from [192.168.1.8] (81-86-129-77.dsl.pipex.com [81.86.129.77]) by colossus.systems.pipex.net (Postfix) with ESMTP id 1D903160003DE; Mon, 23 Dec 2002 23:05:02 +0000 (GMT) Subject: Re: L0phtcrack From: Stacey Roberts Reply-To: stacey@vickiandstacey.com To: Stephen Hovey Cc: paul beard , FreeBSD Questions In-Reply-To: References: Content-Type: text/plain Organization: Message-Id: <1040684706.58381.120.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.0 Date: 23 Dec 2002 23:05:07 +0000 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 2002-12-23 at 22:57, Stephen Hovey wrote: > Ive used such utilities in the past.. > Same here. Various border-penetration tools and passwd crackers that run fortnightly, are used by my team at work. I don't disagree with their existence, nor stated terms of usage. The poster has already answered the followup question in my original reply.., which was very good of him. Regards, Stacey > Basically, the only way a legit admin can secure things, is if they have > access to the same tech the bad guys use.. otherwise they can never be > really certain they have things shored up. > On Mon, 23 Dec 2002, paul beard wrote: > > > Stacey Roberts wrote: > > > > > > > > Why would you want to do this? Personally, I figure its prudent to ask. > > > > > It does have some legitimate uses, according to this page ( > > http://www.atstake.com/research/lc/ ): > > > > > Consider that at one of the largest technology companies, where > > > policy required that passwords exceed 8 characters, mix cases, > > > and include numbers or symbols... > > > > > > * L0phtCrack obtained 18% of the passwords in 10 minutes > > > * 90% of the passwords were recovered within 48 hours on a Pentium > > > II/300 > > > * The Administrator and most Domain Admin passwords were > > > cracked > > > > > > It doesn't have to be this way. Crack-resistant passwords are > > > achievable and practical. But password auditing is the only > > > sure way to identify user accounts with weak passwords. LC4 > > > offers an easy and adaptable way to address this threat and > > > find vulnerable passwords. > > > > > Take it from a 1998 Microsoft security bulletin: > > > > > > "consider evaluating a tool such as L0phtcrack 2.0 for > > > assisting in checking the quality of user passwords." > > > > > > > > -- > > Paul Beard: seeking UNIX/internet engineering work > > > > 8040 27th Ave NE Seattle WA 98115 / 206 529 8400 > > > > "Laughter is the closest distance between two people." > > -- Victor Borge > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message