WARNING!

der Mouse mouse at thunder.mcrcim.mcgill.edu
Sun Apr 14 19:33:05 AEST 1991 

In article <26512 at adm.brl.mil>, attcan!vpk1!john at uunet.uu.net writes:
> John Lupien <lupienj at hpwadac.hp.com> types:
> In article <1991Mar27.094325.24599 at en.ecn.purdue.edu> kidder at en.ecn.purdue.edu (Mark Stephen Kidder) writes:
[Are those attribution lines really right?  They look odd. -Mouse]
>>> PS I learned earlier from another that UNIX does not use a DES
>>>    encryption method for the password; however, a one-way method is
>>>    used making decoding a password impossible.
>>                                     ^^^^^^^^^^^
>> To borrow a phrase from [some movie], "You use that word a lot. I
>> don't think it means what you think it means."
> It doesn't matter how fast or powerful the hardware is.  [...]  While
> there is no known method of reversing the encrytpion, you can use
> comparison or other BFI methods ([...]) to get at passwords.

What's the difference?  Any method that takes the hashed password as
input and produces the original form as output (or, arguably, any
string which would be accepted for (eg) logins) counts as "decoding the
password" or "reversing the encry[pt]ion".  Whether this is done by
some clever method only the no-such-agencies currently know, by table
lookup in a monster table, by exhaustive search through the space of
possibilities, or some other method, is completely irrelevant.

The common password encryption scheme is not DES, not quite; it is DES
with the E-box diddled slightly by the salt value (supposedly to defeat
attempts to use DES hardware for exhaustive search).  It is a
reasonably good approximation to a one-way function.  Nevertheless, to
mangle the language sightly, it is not impossible and is steadily
becoming less so.  There are only 2^56 input values.  I have code that
does approximately a thousand trials a second on general-purpose
hardware.  Let's suppose with a little hardware work we could push this
to a million per second (a bit in advance of current hardware, but
probably not that much).

This still sounds fairly secure, as it works out to about two thousand
years to cover the entire space.  But now we spend a little money and
buy/build a thousand of those hardware assist units.  Now we're down to
two years.

And the vast majority of the space of possibilities corresponds to
passwords like V 3 ^A 9 W ' ; x that no sane person would pick because
they're so impossible to remember.

No, it's time to start thinking about it.  Now.  Not in five years,
when anyone with access to one of the latest FrobozzCo 64K-processor
2684TRX PLA machines can exhaust the space in a month, and find your
password and mine much sooner than that.  Or when storage densities
have improved to the point where one person can carry that monster
lookup table I mentioned in a pocket.  (64 bits times 2^56 passwords
times 2^12 salts is 2^71 bytes.  That looks ridiculous.  Today.)

					der Mouse

			old: mcgill-vision!mouse
			new: mouse at larry.mcrcim.mcgill.edu

More information about the Comp.unix.wizards mailing list