From: Christian Wettergren <cwe@it.kth.se>
To: David Sternlight <david@sternlight.com>
Message Hash: 4af0148bc9c4cad20bab96bd44c8f8b2df77d2fb92900b9825a4fa72046cae04
Message ID: <199607160727.JAA27015@piraya.electrum.kth.se>
Reply To: <v03007605ae102f6372e6@[192.187.162.15]>
UTC Datetime: 1996-07-16 12:53:24 UTC
Raw Date: Tue, 16 Jul 1996 20:53:24 +0800
From: Christian Wettergren <cwe@it.kth.se>
Date: Tue, 16 Jul 1996 20:53:24 +0800
To: David Sternlight <david@sternlight.com>
Subject: Re: Word lists for passphrases
In-Reply-To: <v03007605ae102f6372e6@[192.187.162.15]>
Message-ID: <199607160727.JAA27015@piraya.electrum.kth.se>
MIME-Version: 1.0
Content-Type: text/plain
| It is pretty easy to defend against dictionary attacks by using an expanded
| character set--mixed caps and lower case; numbers substituted for some
| letters according to easily-remembered personal rules.
|
| "Da5id" in "Snow Crash" by Neal Stephenson is an obvious example, since the
| "v" is a roman numeral 5. Another is the "Compuserve method" of inserting
| punctuation characters between words making up a password or key. Since the
| length of the words used is unknown to the cracker, this makes his job
| harder.
You should on the other hand be able to use the username as an indicator
of what kind of password it is;
user "warez" / pass "warez" (but better check the home directory for MS Word)
user "l0pht" / pass "'l33t"
user "feh" / pass "uk4n+r3dt13" (look for zines)
Actually, these kids believe the language they use are hiding them, but I
bet that the letter digrams they present is a immediate marker of "H4k3rz".
It's definitively better than searching for normal "elite, hacker, phracker,
exploit". I just used "l33t" (52), "d00d" (742), "h4qu3r" (5), "sux" (4053)
on AltaVista, to name a few.
-cwe
Return to July 1996
Return to “David Sternlight <david@sternlight.com>”