Xref: utzoo comp.unix.questions:22866 alt.security:826
Path: utzoo!attcan!lsuc!xenitec!electro!focsys!maytag!watserv1!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!dali.cs.montana.edu!rpi!crdgw1!underdog!volpe
From: volpe@underdog.crd.ge.com (Christopher R Volpe)
Newsgroups: comp.unix.questions,alt.security
Subject: Re: How secure is UNIX?
Keywords: Security, ftp
Message-ID: <8480@crdgw1.crd.ge.com>
Date: 12 Jun 90 13:13:43 GMT
References: <1990Jun4.102422.12896@agate.berke <1752@necis <1990Jun5.152004.15873@agate.berkeley.edu> <1990Jun7.161215.27328@chinet.chi.il.us> <1990Jun8.154523.5102@agate.berkeley.edu> <1990Jun8.175747.18776@athena.mit.edu> <1990Jun10.183417.6226@agate.be <1990Jun12.
Sender: news@crdgw1.crd.ge.com
Followup-To: comp.unix.questions
Organization: General Electric Corporate R&D Center
Lines: 33

In article <1990Jun12.012339.12779@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes:
>
>In article <1990Jun10.183417.6226@agate.berkeley.edu>,
>dankg@tornado.Berkeley.EDU (Dan KoGai) writes:
>
>|> 	I think my password was well-chosen:  It is hardly English or
>|> any other language, with Uppercase and Numbers.  My previous one was very
>|> random also.  Yet my 10-line (now 20 and can handle even more complex cases)
>|> successfully found it:  I didn't use /usr/dict/words or any sort at all.
>
>  Your password may very well have been well-chosen.  That's completely
>irrelevant to the argument of whether or not crypt() is adequate, since
>the way your account was broken into was by someone who read your .netrc
>file, not by someone who cracked your password by encryption.
>

Wait a minute. It sounds to me like Dan is claiming that with a 10
(or 20) line C program, he was able to find an arbitrary password
(with uppercase and numerals) via encryption. Yes, it's true, that
his account was broken into by someone who read the password from
the .netrc file, but that has nothing to do with his claim.
He says he didn't use /usr/dict/words or any sort of [word list] at all,
which implies something along the lines of an exhaustive search. 
I find that highly unlikely, considering that the password encryption
mechanism is an implementation of DES, which uses a 56 bit key. 
A brute force search of the keyspace is pretty unfeasable. Perhaps
I misunderstood the claim.

============================
Chris Volpe
Computer Scientist
G.E. Corporate Research and Development
volpecr@crd.ge.com