Good and Bad Password How-To References

1. Bobby, Paul, "Password Cracking Using Focused Dictionaries", July 16, 2000, was originally found at SANS.org but a PDF as originally formatted is available at
   http://www.giac.org/paper/gsec/42/password-cracking-focused-dictionaries/100346


2. Feldmeier, David C., Karn, Philip R. "UNIX Password Security Ten Years Later", 1990, can be downloaded as a PDF or PS from
   http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.49.7151


3. John the Ripper: Password Cracker, home page,
   http://www.openwall.com/john/


4. Klein, Daniel V., " "Foiling the cracker": A survey of, and Improvements to, Password Security", Feb 22, 1991, is available in PDF from
   http://www.klein.com/dvk/publications/passwd.pdf and locally as a PDF or PS.
   The actual dictionaries used by Daniel Klein are no longer available at
   ftp://ftp.cerias.purdue.edu/pub/dict/dictionaries/DanKlein/ but are available here.


5. L0phtCrack, password auditing for windows NT, home page, seems to move around. I last found it at
   http://insecure.org/sploits/l0phtcrack.lanman.problems.html.
   LC5, the latest commercial version (late 2006) can be found at
   http://www.securityfocus.com/tools/1005.


6. Muffet, Alec, Crack v5.0a, FAQ, I don't believe anyone is maintaining Crack anymore. This next appears obsolete.
   http://www.crypticide.com/users/alecm/security/c50-faq.html
   Alec Muffet's current home page appears to be
   http://dropsafe.crypticide.com/aboutalecm


7. Thompson, Ken & Morris, Robert, "Password Security: A Case History", 1978, revised 1979,
   http://www.cs.yale.edu/homes/arvind/cs422/doc/unix-sec.pdf


8. Johnathan Graham, "Security as a Maintenance Process," 2005 Power Point presentaion is no longer available at its original location
   http://www.its.queensu.ca/oucc/oucc_%20presentations/Johnathan_Graham.ppt
   but is available in the Internet Archive at
   https://web.archive.org/web/http://www.its.queensu.ca/oucc/oucc_%20presentations/Jonathon_Graham.ppt


9. Niels Provos and David Mazieres, A Future-Adaptable Password Scheme, 1999, paper presented at Usenix conference www.openbsd.org/papers/bcrypt-paper.pdf


10. Openwall (Solar Designer & Simon Marechal), "Password security: past, present, future," 2012, a MagicPoint presentation
    http://www.openwall.com/presentations/Passwords12-The-Future-Of-Hashing/ also available from this link in PDF.

• AusCERT - Choosing good passwords
  http://www.auscert.org.au/render.html?it=2260&cid=1920l
  
  
• Cal Tech - Zen and the Art of Password Maintenance is archived at
  http://web.archive.org/web/20010213235050/
  http://www.cacr.caltech.edu/resources/accounts/password-safety.html
  
  
• Foxglove - Good and bad passwords
  http://www.tinhat.com/internet_privacy/good_password_tips.html
  
  
• Gary C. Kessler - Passwords Strengths and Weaknesses (1996)
  http://www.garykessler.net/library/password.html
  
  
• MIT - Passwords: The Good, The Bad, and The Ugly
  http://web.mit.edu/network/passwords.html
  
  
• Stanford University - Suggestions for Selecting Good Passwords is now archived http://web.archive.org/web/20061027010609/http://www2.slac.stanford.edu/computing/security/password/goodpassword.htm
  
  
• University of Minnesota - Why Brute-Force Password Cracking is Impractical http://www.cs.umn.edu/help/security/brute-force-cracking.html As this article is now only available in the Web Archive the authors are likely not confident of its validity. In Jan. 2014, 17 years after it was written it is clearly out of date. A quick desktop without a GPU can crack all 7 character passwords in 11 days and 8 characters in 3 years. With a GPU speed on some hashing algorithms can be more than 1000 times the same machine without one. A fast cracking network working at 750 billion CPS can do all 9 character passwords in 10 days and 10 characters in 2.5 years. See the password cracking time tables and related discussion on how salts and hashing itteration control affect cracking times.
  

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.