random passwords (was Re: Worm...)
James Rouse
james at tcom.stc.co.uk
Thu Dec 1 21:42:02 AEST 1988
Larry Mcvoy writes:-
>Add a field somewhere (/etc/failures?) that records the number of
>failed attempts. If it reaches some maximum, disallow logins with
>some message like:
> ("Possible security risk: %d failed attempts\n", failed)
>If the failed number is greater than MAXFAIL/2, then warn the user that
>he ought to reset his password (to anything, including what it was).
[stuff deleted]
>
>Wouldn't this be a much easier and more palatable way to solve the problem?
No because (unless you have a shadow password file :-) see below) to try a
password you simply get the encrypted version from etc/passwd,encrypt your guess
and compare the two. The number of attempted logins to your name has nothing
to do with this.
If however etc/passwd was unreadable to the world then this method of attack
would be ruled out. You wouldn't need a shadow passwd file then either.
The one thing that seems to have been assumed in this argument is that
de-encrypting passwords is impossible. It may be very difficult, but if people
are talking about using a mainframe to encrypt the dictionary (!) and grep the
password file why is everyone so sure that a mainframe cannot be used to reverse the encryption routine?
More information about the Comp.unix.wizards
mailing list