Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!xanth!xanth.cs.odu.edu!jason From: jason@cs.odu.edu (Jason "dedos" Austin) Newsgroups: comp.unix.wizards Subject: Re: Hacking and "Amateurism" Message-ID: Date: 11 Apr 91 03:55:30 GMT References: <1991Mar26.015635.23103@mintaka.lcs.mit.edu> <1991Mar26.163720.28379@en.ecn.purdue.edu> <1991Mar27.041126.9886@news.miami.edu> <1916@hpwala.wal.hp.com> Sender: usenet@cs.odu.edu (Usenet News Poster) Organization: Old Dominion University, Norfolk, VA Lines: 36 In-Reply-To: lupienj@hpwadac.hp.com's message of 5 Apr 91 16:44:39 GMT Nntp-Posting-Host: lancelot.cs.odu.edu In article <1916@hpwala.wal.hp.com> lupienj@hpwadac.hp.com (John Lupien) writes: -> In article <1991Mar27.094325.24599@en.ecn.purdue.edu> kidder@en.ecn.purdue.edu (Mark Stephen Kidder) writes: -> >PS I learned earlier from another that UNIX does not use a DES -> > encryption method for the password; however, a one-way method -> > is used making decoding a password impossible. -> ^^^^^^^^^^^ -> To borrow a phrase from one of those "Airplane" movies, "You use that -> word a lot. I don't think it means what you think it means." I believe that was from The Princess Bride. -> -> When someone says that something is "impossible", the first thing that -> comes to my mind is "how long has it been impossible, and how long will -> it stay that way?". Certainly I don't know how to decode an encrypted -> UNIX password, but I think it is somewhat foolhardy to assume that nobody -> does. There are some very clever people around, and some of them have some -> very fast and capable hardware. -> -> -> --- -> John R. Lupien -> lupienj@hpwarq.hp.com It's not too hard to show that it is possible to decode a password. Every time the same salt and the same password is run through the crypt function, the same code comes out. (It would have to or the thing wouldn't work at all) At the worst case, an exhaustive table from coded to decoded passwords woul; give right answers. Even if the relation is not 1-1 and each code has more than one possible decoding, any of the valid decodings would let you log in. Of course, this would be quite a large table to calculate considering all the permutations. -- Jason C. Austin jason@cs.odu.edu