Contributed by SamT on from the dept.
SecurityFocus article dated 2006-02-22 discusses the 1.7 update to John the Ripper, and makes an especial mention of why your favourite OS works harder at securing your system than others.
The FreeBSD-style MD5-based hashes that are so popular nowadays (they're used on FreeBSD, on many (most?) Linux systems, and on Cisco IOS for "enable" passwords) are significantly better, but they aren't quite state of the art. The OpenBSD-style Blowfish-based (bcrypt) hashes are a whole lot better, adding variable iteration counts (such that a system administrator can proceed to adjust the processing cost for hashes that would be used for newly set or changed passwords as CPUs become faster).
Those multiple iterations of an underlying cryptographic primitive (such as modified DES, MD5, or Blowfish) are used to implement so-called "password stretching". bcrypt hashes can reasonably be configured to be, say, 15,000 times slower than traditional crypt(3) hashing on a given CPU. This is equivalent to passwords (or passphrases) containing 14 bits of additional entropy compared to what one has to actually remember and type in at a login prompt. That's roughly two words less to type in a passphrase.
Not only a good read for fanboys, but a good read for those admins with other OSs with discussions that may help you better secure your network
(Comments are closed)
By Anonymous Coward (128.171.90.200) on
Comments
By Nate (65.94.100.232) on
Comments
By Anonymous Coward (128.171.90.200) on
http://marc.theaimsgroup.com/?l=openbsd-misc&m=113637101008262&w=2
By Archite (69.238.133.30) adam@akarsoft.com on http://akarsoft.com
Comments
By Anonymous Coward (84.188.233.108) on
By Anonymous Coward (66.11.66.41) on
Comments
By Anonymous Coward (128.171.90.200) on
Comments
By Anonymous Coward (84.188.233.108) on
By Anonymous Coward (66.11.66.41) on
Comments
By Anonymous Coward (128.171.90.200) on
Comments
By Anonymous Coward (68.104.17.51) on
Comments
By Anonymous Coward (128.171.90.200) on
Comments
By Anonymous Coward (66.11.66.41) on
By Anonymous Coward (68.104.17.51) on
By Nicolai (62.177.129.191) on
Comments
By tedu (69.12.168.114) on
By Anonymous Coward (66.11.66.41) on
By Anonymous Coward (70.179.123.124) on
someone needs to do a little more reading before commenting, methinks
By Anonymous Coward (84.188.210.11) on
Rijandel is Asymetric
Comments
By Anonymous Coward (84.188.210.11) on
I mixed up the stuff with Pup-Key
By Anonymous Coward (80.135.43.17) on
Could you explain this a little more?
By Anonymous Coward (67.170.176.126) on
thanks
AC
Comments
By tedu (69.12.168.114) on
Comments
By Anonymous Coward (80.90.29.7) on
Comments
By tedu (69.12.168.114) on
By Anonymous Coward (87.78.133.131) on
i tell you it sucks to have to move your office into the basement, so you can have a 300kg safe beside your desk...
private-keys on removable media are fine for me. only use them on my trusted machine, so i could perhaps even leave them on there. but hey, paranoia is a gift.
if you have spare money you could go two-factor auth or use pw-keeping tokens. (even saw one on thinkgeek, i think)
but the available solutions are not open source so i won't use them. don't think my passwords are any safer than in my head just because i put them into a black box.
Comments
By Anonymous Coward (212.87.113.108) michel.brabants@euphonynet.be on
Comments
By Anonymous Coward (87.78.93.60) on
As for the mentioned smartcard support in gpg, i don't want't to carry around another piece of equipment and there is more than just a gpg-key i want to store. :)
A USB-stick on my keychain fits my need quite nicely. If i loose that, i've centainly got other things to worry about than someone bruteforcing my passphrases. private-keys, ssh or gpg, can be changed/revoked easily and fast. having a policy for such situations helps to not panic too much.
By frantisek holop (165.72.200.10) minusf@gmail.com on
maybe you use the same password for all your machines/systems/programs,
but i've got better things to remember than my 50+ passwords for all the
systems i use. i don't even count the web pages which need login, those
don't need really strong passwords.
i could not imagine my life without password safe now.
Comments
By tedu (69.12.168.114) on
Comments
By frantisek holop (165.72.200.10) minusf@gmail.com on
mysql, sybase, coldfusion, web admin interfaces/web working interfaces (at work, not my choice), my bank's online interface, ssl certificate passphrases, even my friggin company ip phone has 2 passwords: one for login, one for recorded messages! :)
not everything can be solved with public keys. not everything is ssh that needs a password.
By Anonymous Coward (81.57.42.108) on
Something like:
openssl enc -aes256 -in my_secret_file -out my_secret_file.enc
rm -P my_secret_file
And then, to print the file content on stdout:
openssl enc -d -aes256 -in my_secret_file.enc
Off course the weak point is that you need to decypher & write the file in plain on the disk in order to add new data on it (or is there a tip ?) but well, that's still good enough for me.
Comments
By Christopher (24.229.80.6) on
lets you do something like this:
but it will echo one of the passphrases you enter (dec, enc, verify).By sng (12.18.141.172) on
Comments
By Anonymous Coward (202.45.99.138) on
Comments
By sng (12.18.141.172) on
Comments
By Anonymous Coward (203.113.233.98) on
I suppose you could remember a couple of good pass phrases including the access code to a safe with a list of good pass phrases for other systems, that sounds reasonable.
Theres also the Mandylion Password Manager from ThinkGeek at http://www.thinkgeek.com/gadgets/security/7573/ but I have no idea how good it is. I havent seen any comprehensive informative reviews of the device yet.
If you use sufficiently long random pass phrases stored in a Mandylion-like device then you could make using John The Ripper ineffectual, does anybody know any devices better than the Mandylion? The Mandylion only passwords can only be up to a measly 14 characters in length.
Comments
By sng (67.171.149.18) on
By Anonymous Coward (71.134.180.244) on
By Anonymous Coward (84.188.242.164) on
LDAP, NIS...?
Comments
By Anonymous Coward (203.113.233.98) on
By Anonymous Coward (128.171.90.200) on
http://www.schneier.com/passsafe.html
It's true, at one of the last places I worked many user's passwords were attached to the front of their machine on a Postit note.
Password Gorilla might compile on OpenBSD, but it is GPL licensed, if that kind of thing bothers you.
http://www.fpx.de/fp/Software/Gorilla/
Comments
By sng (12.18.141.172) on
By Anonymous Coward (68.60.45.241) on
By Anonymous Coward (67.170.176.126) on