Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!think.com!paperboy!hsdndev!cmcl2!adm!news From: JRAMSDEN%wl7.prime.com@relay.cs.net Newsgroups: comp.unix.wizards Subject: (none) Message-ID: <26518@adm.brl.mil> Date: 10 Apr 91 15:44:08 GMT Sender: news@adm.brl.mil Lines: 91 Subject: re: Passwords To: (unix-wizards@brl.mil) From: John Ramsden (jramsden@s55.Prime.Com) Date: 10 Apr 91 2:47 PM In <9104100059.AA02250@uunet.UU.NET> lupienj@hpwarq.hp.com writes: > > Certainly I don't know how to decode an encrypted > > UNIX password, but I think it is somewhat foolhardy to assume that nobody > > does. There are some very clever people around, and some of them have some > > very fast and capable hardware. > > It doesn't matter how fast or powerful the hardware is. To steal > a quote (from where I can't remember) "You can't feed sausage > backwards through a meat grinder and come out with a pig at the > other end". Now that this little misconception is cleared up :) That's true as far as it goes, but if you develop a grinder which takes a sausage at one end, and delivers several protein-based units at the other, you can be fairly confident of having recovered the original pig if one of these entities has a curly tail and makes oinking noises. What I'm saying is that even if the encryption function isn't 1-1 (and it probably wouldn't be), it might be possible to reconstruct all the strings which encrypt to the same result, and the chances are that one of these will look more plausible as a password than the others. Even if not, any one will serve as a password provided it conforms to any extra conditions necessary to be a kosher Unix password, i.e. in terms of minimum length and required characters etc. > The best passwords are completely random sequences. I'd dispute that because they're difficult to remember, and therefore vulnerable to being written down (in extreme cases on little Postit (tm) notes stuck to the terminal or somewhere near by !). I thought it was fairly well established fact that the best type of password is a meaningful word, but with a twist in the tail. For example think of a topical word, let's say "Schwartzkopf". "How clever" I hear you say, "no one would ever have thought of that one John !" (although I bet there's some jerk somewhere who has thought of it, and thinks they're the first and last to do so !) *But* if you then add a couple of numbers or a symbol, to make say "Sch23wartzkopf" it gets converted immediately from being guessable (at a pinch) to impossible. In the absence of special hardware arrangements, any password entry scheme is vulnerable to being monitored, in which case it doesn't matter how carefully the password is constructed. The monitoring could be by software (a front-end shell of some sort), intercepting signals in a cable or via radio, or picking up radio emissions from CRT screens to reconstruct what appears on the screen. I even read that MI6 (a British lot) can tell what is being typed on a teletype by analyzing the characteristic sounds made by the differing letter shapes as they impact the paper ! The only way to get round this by typed input is to use a procedural approach. For example the host would display a 10 by 10 matrix of numbers (or letters). Then instead of a password the validation is the knowledge of a set of row/column pairs. The user just enters the value displayed at the successive positions determined by the pairs. Provided the matrix values are chosen so that the values the user must enter don't determine a single or even a small set of possible coordinates, the user's input would be no help to a snooper in tackling another matrix (for which of course the values would be different !) Ingenious isn't it ? (not original though alas :-( It doesn't have to be a matrix. It might just be a column display followed by a long string of digits/letters which the column display "indexes". There are all sorts of variants. > ____Eagles may soar, but weasels don't get sucked into jet engines._____ Nice one - I'll add that to my quip file ! ======================================================================== John R Ramsden | (jramsden@s55.Prime.Com) | "... and let that be a lesson to you !" Prime Computer Inc | S Hussein (victory speech) Framingham, Mass. | ======================================================================== DISCLAIMER: The opinions expressed above don't necessarily reflect those of Prime Computer or its subsidiaries. What's more, in case I forget to do this ridiculous disclaimer ritual at any time in the future, the same applies to all my postings unless explicitly stated otherwise (highly unlikely).