Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!wuarchive!uwm.edu!linac!mp.cs.niu.edu!rickert
From: rickert@mp.cs.niu.edu (Neil Rickert)
Newsgroups: comp.unix.wizards
Subject: Re: Passwords
Message-ID: <1991Apr12.120209.21241@mp.cs.niu.edu>
Date: 12 Apr 91 12:02:09 GMT
References: <26518@adm.brl.mil> <14248: Apr1204:14:4891@kramden.acf.nyu.edu>
Organization: Northern Illinois University
Lines: 24

In article <14248:Apr1204:14:4891@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes:
>Someone might search for passwords where each character is 70% lowercase
>letter with Shannon frequencies, 10% uppercase letter, 15% digits 23457
>(surely you know these are the most common?), 5% other digits. He'd get
>that password after, say, a hundred billion encryptions---around two
>months on a small Sun cluster. These are back-of-the-envelope estimates,
>but I certainly wouldn't say that password was impossible to guess.

 What I have never understood is why the password encryption algorithm doesn't
use additional information other than the password - the user name and the
machine name (or domain name for YP based networks).  That way anyone who
broke one encryption has succeeded only in breaking it for one user on
one system.  Sure, this would make life slightly tougher for administrators
when propogating accounts to another host.  But it would minimize the problem
of someone using a supercomputer to derive a dictionary of encryption
breakers for all common dictionary words.  (The dictionary would have to
be recomputed for each user on each machine).


-- 
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
  Neil W. Rickert, Computer Science               <rickert@cs.niu.edu>
  Northern Illinois Univ.
  DeKalb, IL 60115                                   +1-815-753-6940