Xref: utzoo rec.games.mud:2674 alt.security:2021 comp.unix.wizards:24554 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!samsung!think.com!ames!ncar!news.miami.edu!umbio.med.miami.edu!jpb From: jpb@umbio.med.miami.edu (jpb) Newsgroups: rec.games.mud,alt.security,comp.unix.wizards Subject: Re: Hacking Keywords: WARNING Message-ID: <1991Mar27.041126.9886@news.miami.edu> Date: 27 Mar 91 04:11:26 GMT References: <1991Mar25.155055.27335@mailer.cc.fsu.edu> <1991Mar25.231032.5872@decuac.dec.com> <1991Mar26.015635.23103@mintaka.lcs.mit.edu> <1991Mar26.163720.28379@en.ecn.purdue.edu> Sender: news@news.miami.edu (USENET News System) Organization: Gene Police World Headquarters, Research & Development Division. Lines: 34 In article <1991Mar26.163720.28379@en.ecn.purdue.edu> kidder@en.ecn.purdue.edu (Mark Stephen Kidder) writes: >In article <1991Mar26.015635.23103@mintaka.lcs.mit.edu> rjc@geech.gnu.ai.mit.edu (Ray Cromwell) writes: > >>couple of minutes of guessing is all that is needed. New students >>just receiving accounts choose easy passwords. For instance, at my >>local college here, I found that 50% of the passwords in the /etc/passwd >>file were either the user's name, or his name spelled backwards, or >>'pass', 'passwd', and 'password.' >> Blaming the FSF for password 'crackers' isn't right. If the FSF machines >>were removed from the net it wouldn't stop hacking at all. In fact, once >>a hacker gains access to a machine (through a unsecure student account) >>he can download the password file and crack it on his pc at home. > ^--- Not very bloody likely since >even the most sophisticated hacker couldn't break the DES encoding method >used. This fact is rather obvious since there is no decoding algorithm for >password encryption on UNIX (or any of it's cousins, i.e. DYNIX). UNIX-like >systems ask for the password when you log in. Encrypt it and compare the >one you gave to the one stored at your login pointer in /etc/passwd. If >the two encrypted password are identical you're in. And no, the odds of >two different passwords having the same encryption word is astronomical. Surprise. The technique is not to try and crack DES, but to apply the same algorithm to a dictionary file, and then compare the output to the target login's password field. If you're on another unix system, this can be fairly trivial, especially if you have access to a machine with a source license. If you're feeling sophisticated, you maintain a file containing all the successful strikes you've ever had, and use it first before going to a large dictionary or (shudder) methodical generation of words. Joe -- Joe Block (jpb@umbio.med.miami.edu) "Never send a monster to do the work of an evil genius."