Xref: utzoo comp.unix.questions:22855 alt.security:824 Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!uwm.edu!ogicse!blake!milton!milton.u.washington.edu!dennis From: dennis@bailey.cpac.washington.edu (Dennis Gentry) Newsgroups: comp.unix.questions,alt.security Subject: Re: How secure is UNIX? Message-ID: Date: 12 Jun 90 07:30:47 GMT References: <1990Jun5.152004.15873@agate.berkeley.edu> <1990Jun7.161215.27328@chinet.chi.il.us> <1990Jun8.154523.5102@agate.berkeley.edu> <1990Jun8.175747.18776@athena.mit.edu> <1990Jun10.183417.6226@agate.berkeley.edu> Sender: news@milton.acs.washington.edu Organization: Center for Process Analytical Chemistry, U of Wash, Seattle Lines: 29 In-reply-to: dankg@tornado.Berkeley.EDU's message of 10 Jun 90 18:34:17 GMT In article <1990Jun10.183417.6226@agate.berkeley.edu> dankg@tornado.Berkeley.EDU (Dan KoGai) writes: It's not that hard to overcome crypt(). There are no published easy methods of overcoming crypt(). If you have found one, I would like to help you co-author a paper. I think my password was well-chosen: It is hardly English or any other language, with Uppercase and Numbers. My previous one was very random also. Yet my 10-line (now 20 and can handle even more complex cases) successfully found it: I didn't use /usr/dict/words or any sort at all. Again, I would be extremely surprised if your 20 line program can successfully find well chosen passwords at any reasonable rate (say one per year on a fast workstation). Also, it is easy for a good system administrator to change the original string being encrypted so that remote password attacks are much more difficult. Dan, would you be willing to mail me your 20 line program for analysis? If you are not, I'd still believe you if you can you find my password. Here is my password entry. (If any of you besides Dan crack my password, please let me know by sending e-mail.) dennis:H3MsMYv9Jed8Y:100:10:Dennis Gentry:/u/dennis:/bin/csh Thanks, Dennis dennis@cs.washington.edu