[Tfug] Why would *anyone* leave a door open?

[Jordan Aberle]

Your "John the Ripper" example doesn't work for WPA2 cracking, the SSID is
integrated into the hash.  So, you need a premade list that has been
computed with the SSID into all the words in the dictionary list.   That you
are trying to crack, that is what makes WPA2 that much more secure.
Example of a premade list:
http://www.churchofwifi.org/default.asp?PageLink=Project_Display.asp?PID=90

<http://www.churchofwifi.org/default.asp?PageLink=Project_Display.asp?PID=90>The
1000 SSID list here took 3 days of some serious computing power to make a
list that works with cracking WPA2 networks, if the SSID of the network does
not exist in this list you would have to do some serious number crunching
yourself to make a dictionary list for that one SSID you are trying to
crack.  It would take days to add an SSID you were trying to crack to the
list in the above example with a normal dual core system.  Lots of withs..
;p


On Fri, Aug 28, 2009 at 3:29 PM, Bexley Hall <bexley401 at yahoo.com> wrote:

> > >>> s/does/did/
> > >>
> > >> OK...what the hell does that mean?
> > >
> > > Substitute 'does' with 'did'. Not a vi user, eh? ;-)
> >
> > Ah.  Meaning he probably threw it in there now :).
> >
> > Good news is, I deliberately used a passphrase that I've
> > never actually used :).
> >
> > I tend to use that sort of style though, and recommend it
> > often.  It's the best way to memorize a long passphrase.
> >
> > You can also create "families" of passwords with it.
> > In other words, both a longer and shorter version of the same
> > concept.  Done right,
> > each has meaning only to you, so that if one is compromised
> > the other version isn't, or at least the search is only narrowed a
> > little bit but still basically impossible.
> >
> > Example...if the long phrase is
> > "iseedeadpeopleinabadmovie", the short
> > might be "ghostpoop".  To a human, one will remind you of the other,
> > but to a computer there's no link.
>
> But some cracking algorithms don't *care* about the significance
> of the character sequence you choose!  E.g., "34fdY7g42" is just as
> (insecure) as "ghostpoop"!  Dictionary based attacks rely on
> the dictionary happening to contain the vulnerable password
> in order to work.  So, using digits "4", "8", "2", etc. make
> your password more likely to appear in such a list (dictionary).
> E.g., born2run, iamgr8, ready4it, etc.
>
> OTOH, other cracking techniques essentially try *all* of the
> possible combinations of characters (in a less computationally
> intensive approach).  So, passwords that wouldn't *tend* to
> appear in a "dictionary" are just as likely to be discovered
> as those that *would*.  As such, your best defense is a
> longer (wider) password and/or using characters that *really* are
> "never encountered" in passwords.
>
> As I said, theory and practice are very different animals
> in this world.  And, just because something *seems* secure,
> doesn't mean someone hasn't found a way to *efficiently*
> circumvent it!
>
> Is someone going to crack your password if they have to gain
> *physical* access to your machine (i.e., you keep it offline
> as I do mine) *and* have to be motivated to *want* what's
> on your machine?  Or, are they going to attack some account
> of yours (banking account$ tend to be worth $omething to
> $tranger$!) that is publicly accessible with little
> *practical* hope of ever being "traced" to the attacker?
>
> If I have to break into your home to tap into your wired
> network, I put myself at considerable risk.  OTOH, if I
> can sit down the end of the block -- or, in a neighbor's
> house -- and do this "safely"...
>
> Do the math.
>
>
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20090828/3280c339/attachment-0002.html>