Xref: utzoo rec.games.mud:2691 alt.security:2030 comp.unix.wizards:24575 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sdd.hp.com!spool.mu.edu!munnari.oz.au!manuel!coombs!sean From: sean@coombs.anu.edu.au (Sean Batt) Newsgroups: rec.games.mud,alt.security,comp.unix.wizards Subject: Re: Hacking Message-ID: Date: 28 Mar 91 02:26:39 GMT Article-I.D.: coombs.sean.670127199 References: <1991Mar26.015635.23103@mintaka.lcs.mit.edu> <1991Mar26.163720.28379@en.ecn.purdue.edu> <1991Mar27.041126.9886@news.miami.edu> <1991Mar27.094325.24599@en.ecn.purdue.edu> Sender: news@newshost.anu.edu.au Organization: Computer Services Centre, Australian National University Lines: 36 pjnesser@mbunix.mitre.org (Nesser) writes: > Someone in this thread pointed out that the way to crack passwords > is to maintain a list of encrypted dictionary words and compare > against that. I use this technique from time to time to make sure the users on my machine are choosing reasonable passwords. If you choose something easy around here, you'll get a non-email letter with a paper on the "right way" to choose passwords. Unfortunately, some of my users choose the obviously difficult to crack passwords that are suggested in the paper! How many of my users have "IXdKKasPDd" as their password? (IE After "In Xanadu did Kubla Kahn a stately Pleasure Dome decree"). > I just want to point out that this is an amazingly expensive way to > do it since you have to keep 4096 strings for each word. Disk space > is getting cheaper but ... It's not that I've figured out a great > way to do it myself but ... :-) Ahh! Well I keep mine on ten 2.3GByte Exabyte tapes. Indexed by salt for example. On my machine with 500 users we have 411 distinct salt values. That certainly cuts down the search space. Of course for my application its only necessary to record the encrypted value as we're not interested in exactly what the password was, just the fact that it could be {cr,h}acked. I'm not going to make my tapes available to anyone else I'm afraid. Sean -- ------------- Sean Sebastian Batt - sean@coombs.anu.edu.au -------- .______. -------- Coombs Computing Section - Telephone: +61 6 249 3296 ----- | Damn |\ -- Australian National University - GPO Box 4 Canberra City 2601 -- | Fine |/ ------------------------------------------------------------------- `------'