Xref: utzoo rec.games.mud:2678 alt.security:2024 comp.unix.wizards:24559
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!magnus.acs.ohio-state.edu!tut.cis.ohio-state.edu!sei.cmu.edu!dvk
From: dvk@sei.cmu.edu (Daniel Klein)
Newsgroups: rec.games.mud,alt.security,comp.unix.wizards
Subject: Re: Hacking
Keywords: WARNING!
Message-ID: <23246@as0c.sei.cmu.edu>
Date: 27 Mar 91 15:57:28 GMT
References: <1991Mar26.015635.23103@mintaka.lcs.mit.edu> <1991Mar26.163720.28379@en.ecn.purdue.edu> <1991Mar27.041126.9886@news.miami.edu> <1991Mar27.094325.24599@en.ecn.purdue.edu>
Sender: netnews@sei.cmu.edu
Organization: CMU Software Engineering Institute
Lines: 17


At the recent USENIX Security Workshop in Portland, I published a report on
cracking.  From a sample set of 13,797 accounts, I was able to crack 3340
using the dictionary method (that's 24.2%).  I did a lot more than just
look in /usr/dict/words, but the fact remains that if you use *any* kind of
word as your password, it can be cracked.

If you'd like to read the paper (replete with lots of interesting statistics),
the full citation is: "`Foiling the Cracker': A Survey of, and Improvements
to, Password Security", Proceedings of the USENIX Association UNIX Security
II Workshop, Portland, Oregon, August 27-28, 1990 (or I can send you troff
source or Postscript).

-- ============ -- =========== -- =========== -- =========== -- =========== --
"The only thing that separates us from the animals is superstition
and mindless rituals".          Daniel Klein	CMU-SEI   +1 412/268-7791
						dvk@sei.cmu.edu