Re: [cobalt-users] Admin/root password security hole

[Dom Latter <d.latter@xxxxxxx>]

Jens Kristian Søgaard wrote:
> 
> "Fathi Said" <fathi@xxxxxx> writes:
> 
> > Don't tell me that "security5143" is secure -- brute force it (I had a nice
> > explained that to me) and you have the right password within seconds......
> 
> Within seconds?
> 
> What _bruteforce_ program does that?

I didn't realise anybody had got a quantum computer up and running yet!

[I'm pretty sure Fathi is referring to a dictionary attack.]

> Indeed using brute force would be worse, as a dictionary attack would
> render such words as "security" to be very unsecure.
 
This is my point.  If "security5143" is truncated to "security" by 
the software, it becomes ten thousand times as vulnerable to a dictionary 
attack.  Actually, more than that, because tacking four digits on the 
end of a word is just *one* of the things that you would explore with
a dictionary attack, having done the straight-forward attack.

I was not trying to posit "security5143" as a good password, just 
trying to illustrate the flaw in Cobalt's logic.

BTW y'all, the above is a nice example of why you should provide enough
quote to give context.  For some reason I haven't seen Fathi's post.