Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!think.com!paperboy!hsdndev!cmcl2!adm!news From: attcan!vpk1!john@uunet.uu.net Newsgroups: comp.unix.wizards Subject: re: WARNING! Message-ID: <26512@adm.brl.mil> Date: 10 Apr 91 01:18:41 GMT Sender: news@adm.brl.mil Lines: 60 John Lupien types: In article <1991Mar27.094325.24599@en.ecn.purdue.edu> kidder@en.ecn.purdue.edu (Mark Stephen Kidder) writes: >>PS I learned earlier from another that UNIX does not use a DES >> encryption method for the password; however, a one-way method >> is used making decoding a password impossible. >^^^^^^^^^^^ >To borrow a phrase from one of those "Airplane" movies, "You use that >word a lot. I don't think it means what you think it means." > >When someone says that something is "impossible", the first thing that >comes to my mind is "how long has it been impossible, and how long will >it stay that way?". Certainly I don't know how to decode an encrypted >UNIX password, but I think it is somewhat foolhardy to assume that nobody >does. There are some very clever people around, and some of them have some >very fast and capable hardware. It doesn't matter how fast or powerful the hardware is. To steal a quote (from where I can't remember) "You can't feed sausage backwards through a meat grinder and come out with a pig at the other end". Now that this little misconception is cleared up :) it still doesn't mean that your machine is secure. While there is no known method of reversing the encrytpion, you can use comparison or other BFI methods (BFI=Brute Force and Ignorance) to get at passwords. This topic has been beaten to death in here but it all comes down to the same thing... As long as you choose passwords carefully, your password is relatively safe! The best passwords are completely random sequences. The next best (and easiest to remember) is phonetic permutations of foreign words with random capitalizations. Of course, none of this will protect you %100. I've found that most computer break-ins are not by super geniuses that toss super-computer power at machines, but rather a result of a persistant individual who exploits the ignorance of users and poor system administrators. As long as even ONE person can log into your machine, it's not completely secure. Common sense and awareness are are your only defense. There are a lot easier ways to break into a unix box than through the password file. Also, getting a copy of your password file requires access to your machine in the first place. If a competent hacker has access to your box, they probably won't waste time with your password file. They'll be busy looking for other holes in your system to exploit. >--- >John R. Lupien >lupienj@hpwarq.hp.com Cheers ______Opinions stated are my own. Transcripts available by request______ === =--==== AT&T Canada Inc. John Benfield =----==== 3650 Victoria Park Ave. Network Support Analyst (MIS) =----==== Suite 800 ==--===== Willowdale, Ontario attmail : ~jbenfield ======= M2H-3P7 email : uunet!attcan!john === (416) 756-5221 Compu$erve: 72137,722 ____Eagles may soar, but weasels don't get sucked into jet engines._____