Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!husc6!bu-cs!madd
From: madd@bu-cs.BU.EDU (Jim Frost)
Newsgroups: comp.unix.wizards
Subject: Re: PASSWORD GUESSING
Message-ID: <36830@bu-cs.BU.EDU>
Date: 21 Aug 89 01:46:49 GMT
References: <1919@aucs.UUCP> <737@rwing.UUCP> <1043@accuvax.nwu.edu> <3532@internal.Apple.COM> <3126@rti.UUCP> <24888@prls.UUCP>
Reply-To: madd@buit15.bu.edu (Jim Frost)
Followup-To: comp.unix.wizards
Organization: Boston University Distributed Systems Group
Lines: 24

In article <24888@prls.UUCP> gordon@prls.UUCP (Gordon Vickers) writes:
|       The advice I see most often, and use myself is to simply pick
|   two unrelated words that are seperated by a symbol, with the entire
|   password being seven or eight charectors in length.  Care to figure
|   what the odds are of a hacker breaking it ? 

Sure.  Very good if the hacker has (exclusive) access to a good
parallel machine, or access to several PC's and a good crypt()
implementation.

One of the problems of the UNIX password scheme is that it believes
that you don't have 50+ mips of processing power and a reasonably
efficient crypt().  (In fact I know someone who did a fairly complete
scan of 6 letter passwords using heavy parallelism; this is likely to
become more common as machines get faster.)

Since there are a variety of simple ways to get around this problem
which have been discussed in full on this and other newsgroups, I
won't go into it.  Just remember that machine speed is rising quick
enough for brute-force to be effective.

jim frost
software tool & die
madd@std.com