WARNING!

attcan!vpk1!john at uunet.uu.net attcan!vpk1!john at uunet.uu.net
Wed Apr 10 11:18:41 AEST 1991 

John Lupien <lupienj at hpwadac.hp.com> types:
In article <1991Mar27.094325.24599 at en.ecn.purdue.edu> kidder at en.ecn.purdue.edu (Mark Stephen Kidder) writes:
>>PS I learned earlier from another that UNIX does not use a DES
>>   encryption method for the password; however, a one-way method
>>   is used making decoding a password impossible.
                                       >^^^^^^^^^^^
>To borrow a phrase from one of those "Airplane" movies, "You use that
>word a lot. I don't think it means what you think it means."
>
>When someone says that something is "impossible", the first thing that
>comes to my mind is "how long has it been impossible, and how long will
>it stay that way?". Certainly I don't know how to decode an encrypted
>UNIX password, but I think it is somewhat foolhardy to assume that nobody
>does. There are some very clever people around, and some of them have some
>very fast and capable hardware. 

It doesn't matter how fast or powerful the hardware is. To steal
a quote (from where I can't remember) "You can't feed sausage
backwards through a meat grinder and come out with a pig at the
other end". Now that this little misconception is cleared up :)
it still doesn't mean that your machine is secure. While there is
no known method of reversing the encrytpion, you can use comparison
or other BFI methods (BFI=Brute Force and Ignorance) to get at
passwords. This topic has been beaten to death in here but it all
comes down to the same thing...

As long as you choose passwords carefully, your password is relatively
safe!

The best passwords are completely random sequences. The next best
(and easiest to remember) is phonetic permutations of foreign words
with random capitalizations. Of course, none of this will protect
you %100. I've found that most computer break-ins are not by super
geniuses that toss super-computer power at machines, but rather
a result of a persistant individual who exploits the ignorance of 
users and poor system administrators. As long as even ONE person can 
log into your machine, it's not completely secure. Common sense and 
awareness are are your only defense. There are a lot easier ways to 
break into a unix box than through the password file. Also, getting 
a copy of your password file requires access to your machine in the first
place. If a competent hacker has access to your box, they probably
won't waste time with your password file. They'll be busy looking 
for other holes in your system to exploit. 

>---
>John R. Lupien
>lupienj at hpwarq.hp.com

Cheers

______Opinions stated are my own. Transcripts available by request______
      ===
    =--====  AT&T Canada Inc.             John Benfield
   =----==== 3650 Victoria Park Ave.      Network Support Analyst (MIS)
   =----==== Suite 800		    
   ==--===== Willowdale, Ontario          attmail   : ~jbenfield
    =======  M2H-3P7			  email     : uunet!attcan!john
      ===    (416) 756-5221               Compu$erve: 72137,722

____Eagles may soar, but weasels don't get sucked into jet engines._____

More information about the Comp.unix.wizards mailing list