Yet Another useful paper
Joe Buck
jbuck at epimass.EPI.COM
Tue Dec 20 05:09:39 AEST 1988
Dennis Mumaugh writes:
>>As far as UNIX passwords, it further justifies the use of a shadow
>>password file and the use of 64 character pass phrases.
In article <4420 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>Why? Because it shows a 20x speedup possibility? Let's do the
>arithmetic again...
>Given a 100 character character set and 8 characters in a password
>the search space is 100^8 which is 10,000,000,000,000,000
Irrelevant, because not all passwords are equally probable. The
Internet worm broke large numbers of accounts by using about five
guesses obtained from the user's line in the password file, and broke
quite a few more using a list of about 500 words (it's amazing how
many accounts can be broken by using the twenty most common female
names as guesses). People are incredibly lax about password security
at most sites. Make it fast enough, and people can just crunch away
using /usr/dict/words; an uneducated user is much more likely to use a
word than a random group of eight characters.
Since the password file is publically readable, you can just retrieve
it, crunch away quietly on a different machine until you've broken the
passwords you want. With a shadow password file and appropriate
security logging, you can't repeatedly guess a user's password without
triggering some alarms.
--
- Joe Buck jbuck at epimass.epi.com, or uunet!epimass.epi.com!jbuck,
or jbuck%epimass.epi.com at uunet.uu.net for old Arpa sites
I am of the opinion that my life belongs to the whole community, and as long
as I live it is my privilege to do for it whatever I can. -- G. B. Shaw
More information about the Comp.unix.wizards
mailing list