Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!munnari.oz.au!uhccux!wiliki!newsham From: newsham@wiliki.eng.hawaii.edu (Timothy Newsham) Newsgroups: comp.org.eff.talk Subject: Re: Passwords Message-ID: <13486@uhccux.uhcc.Hawaii.Edu> Date: 15 Jun 91 07:43:37 GMT References: <14907.28501E2D@fidogate.FIDONET.ORG> <1991Jun11.221113.14213@athena.cs.uga.edu> Sender: news@uhccux.uhcc.Hawaii.Edu Reply-To: newsham@wiliki.UUCP (Timothy Newsham) Organization: University of Hawaii, College of Engineering Lines: 34 >I happen to know that a rather out-of-date copy of the /etc/passwd file >from one of my machines has fallen into unauthorized hands. >We change our passwords often enough that the file is now worthless. There's a better way to protect yourself from /etc/passwd vandals than just changing the passwords on a regular basis. I'm sure you under- stand how most folks don't like to change their passwords often since they consider it too big a hassle to justify the security measure. Just make them pick a good password and then they won't have to change it anymore if they don't want to. COPS and other such password hackers (like the ones in Phrack and LOD Tech Journal) work because people simply pick stupid passwords. COPS and the like first search for pass- words that are identical to the login name. Then the hacking program goes on to try variations on the name that corresponds with the account. For example, consider account login joe, real name John Doe. The pass hacker would try joe, john, doe, johndoe, doejohn, nhoj, eod, eodnhoj, nhojeod, eoj, etc. If variations on the name doesn't work, the password hacker, if configured to do so, would go on to try every word in the dictionary. Most hackers don't go as far as trying the dictionary, since it takes weeks to compare every login with every word in the dictionary. Besides, just comparing names usually results in a few broken accounts. That's all any hacker wants or needs. So, as Cliff Stoll always preaches, practice safe computing by choosing a password not in the dictionary, or pick a password of more than one word, or pick a word and throw in a few punctuation marks. That way it would take a Cray Supercomputer and a lot of luck to pentrate your account. And you won't have to keep changing your password (unless you use the same password on more than one system...but that's another lecture)