Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!ucsd!ucbvax!agate!agate!dpassage From: dpassage@soda.berkeley.edu (David G. Paschich) Newsgroups: comp.org.eff.talk Subject: Re: Should we let students run COPS to get each other's passwords? Message-ID: Date: 19 Jun 91 03:52:29 GMT References: <1991Jun18.205258.25918@cirrus.com> Sender: usenet@agate.berkeley.edu (USENET Administrator) Organization: cc Lines: 28 In-Reply-To: dhesi@cirrus.com's message of 18 Jun 91 20: 52:58 GMT In article <1991Jun18.205258.25918@cirrus.com>, dhesi@cirrus.com (Rahul Dhesi) writes: Checking to make sure that a password used is not in any online word lists can be very time-consuming. It is more efficient to generate in advance what I call a LOWNIAL (list of words not in any list). Ideally you would use a modified /bin/passwd program that would accept a password only if it was found in the online LOWNIAL, and reject all others. So you create a plaintext list of "good passwords". Either a) this list is much too large to be useful, or b) this list is small enough that a cracker can get at it and use it for a dictionary attack on your system. If you make the file root-readable only, then the problem of reading it reduces to that of reading the passwords in an /etc/shadow file. If you encrypt the file, its size increases at least 2,000 times because you have to encrypt each plaintext password once for each possible salt. And /etc/shadow is still more secure because there's no absolute list of usable passwords anywhere. Restricting your users to a certain list of passwords small enough to be usable is bad. Using something like the replacement passwd program in the perl book is a much better idea. -- David G. Paschich Open Computing Facility UC Berkeley dpassage@ocf.berkeley.edu "But I'd rather be a fish, 'cause a fish is an animal" -- Gener Fox