25 Apr
2007
25 Apr
'07
5 p.m.
On Wed, 25 Apr 2007, der Mouse wrote:
Your brute force algorithm should be limited to keyboardable characters
that are accepted by that OS.
In terms of entry, it makes no difference. But it is helpful if there is
alternate access to the drive (booting with another OS or reading sectors
elsewhere), and it helps to avoid unauthorized rights amplification.
--
Grumpy Ol' Fred cisin at xenosoft.com
By definition, if you can do better than brute force,
you need a better
hash algorithm.
Surprisingly, I've had students who had been taught that ALL one-way
functions are completely and totally uncrackable.
It will most
likely be a nonsense string of characters, rather than
the name of the user's canary, but it will work.
Not necessarily; for example, if it contains NL or NUL characters, it
will not work as a Unix password, even if it does produce the correct
hash when shoved through the algorithm. Security through obscurity? Doesn't work.
Certainly not in a case
like this, where implementations of the algorithm are, perforce,
widespread.
certainly not for long! I should have punctuated that in a manner
that
would imply sarcasm.
and access to
the hashcodes for accounts shuld be limited.
That helps, a little, but it's a
belt-and-suspenders measure.