[Tfug] Why would *anyone* leave a door open?

Bexley Hall bexley401 at yahoo.com
Fri Aug 28 17:59:07 MST 2009 

> Your "John the Ripper" example

I don't use "John the Ripper".

> doesn't work for WPA2 cracking, the SSID is integrated
> into the hash.  So, you need a premade list that has been
> computed with the SSID into all the words in the dictionary
> list.   That you are trying to crack, that is what makes
> WPA2 that much more secure.

Ah, so an SSID like, maybe "linksys"?  Gee, I wonder how many
*thousands* of networks in Tucson alone have *that* SSID??

Every "secure" system has been *considered* secure -- until
it was PROVEN otherwise.  If you think any one of these is *truly*
secure, you just haven't seen the right "headline"... *yet*!

I stand by my claim:  When someone breaks into my house to tap
into my WIRED network (and decides *not* to simply walk off with
all of my machines) *then* I'll worry about my security...  ;-)
 
> Example of a premade list:http://www.churchofwifi.org/default.asp?PageLink=Project_Display.asp?PID=90
> 
> The
> 1000 SSID list here took 3 days of some serious computing
> power to make a list that works with cracking WPA2 networks,
> if the SSID of the network does not exist in this list you
> would have to do some serious number crunching yourself to
> make a dictionary list for that one SSID you are trying to
> crack.  It would take days to add an SSID you were trying
> to crack to the list in the above example with a normal dual
> core system.  Lots of withs.. ;p
> 
> 
> 
> On Fri, Aug 28, 2009 at 3:29 PM,
> Bexley Hall <bexley401 at yahoo.com>
> wrote:
> 
> 
> > >>> s/does/did/
> 
> > >>
> 
> > >> OK...what the hell does that mean?
> 
> > >
> 
> > > Substitute 'does' with 'did'. Not
> a vi user, eh? ;-)
> 
> >
> 
> > Ah.  Meaning he probably threw
> it in there now :).
> 
> >
> 
> > Good news is, I deliberately used a passphrase that
> I've
> 
> > never actually used :).
> 
> >
> 
> > I tend to use that sort of style though, and recommend
> it
> 
> > often.  It's the best way to memorize a long
> passphrase.
> 
> >
> 
> > You can also create "families" of passwords
> with it. 
> 
> > In other words, both a longer and shorter version of
> the same
> 
> > concept.  Done right,
> 
> > each has meaning only to you, so that if one is
> compromised
> 
> > the other version isn't, or at least the search is
> only narrowed a
> 
> > little bit but still basically impossible.
> 
> >
> 
> > Example...if the long phrase is
> 
> > "iseedeadpeopleinabadmovie", the short
> 
> > might be "ghostpoop".  To a human, one will
> remind you of the other,
> 
> > but to a computer there's no link.
> 
> 
> 
> But some cracking algorithms don't *care* about
> the significance
> 
> of the character sequence you choose!  E.g.,
> "34fdY7g42" is just as
> 
> (insecure) as "ghostpoop"!  Dictionary based
> attacks rely on
> 
> the dictionary happening to contain the vulnerable
> password
> 
> in order to work.  So, using digits "4",
> "8", "2", etc. make
> 
> your password more likely to appear in such a list
> (dictionary).
> 
> E.g., born2run, iamgr8, ready4it, etc.
> 
> 
> 
> OTOH, other cracking techniques essentially try *all* of
> the
> 
> possible combinations of characters (in a less
> computationally
> 
> intensive approach).  So, passwords that wouldn't
> *tend* to
> 
> appear in a "dictionary" are just as likely to be
> discovered
> 
> as those that *would*.  As such, your best defense is a
> 
> longer (wider) password and/or using characters that
> *really* are
> 
> "never encountered" in passwords.
> 
> 
> 
> As I said, theory and practice are very different animals
> 
> in this world.  And, just because something *seems*
> secure,
> 
> doesn't mean someone hasn't found a way to
> *efficiently*
> 
> circumvent it!
> 
> 
> 
> Is someone going to crack your password if they have to
> gain
> 
> *physical* access to your machine (i.e., you keep it
> offline
> 
> as I do mine) *and* have to be motivated to *want*
> what's
> 
> on your machine?  Or, are they going to attack some
> account
> 
> of yours (banking account$ tend to be worth $omething to
> 
> $tranger$!) that is publicly accessible with little
> 
> *practical* hope of ever being "traced" to the
> attacker?
> 
> 
> 
> If I have to break into your home to tap into your wired
> 
> network, I put myself at considerable risk.  OTOH, if I
> 
> can sit down the end of the block -- or, in a
> neighbor's
> 
> house -- and do this "safely"...
> 
> 
> 
> Do the math.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> 
> Tucson Free Unix Group - tfug at tfug.org
> 
> Subscription Options:
> 
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> 
> 
> 
> 
> -----Inline Attachment Follows-----
> 
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>

More information about the tfug mailing list