Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!amdcad!ames!lll-lcc!rutgers!pbox!okstate!gregg From: gregg@a.cs.okstate.edu (Gregg Wonderly) Newsgroups: comp.os.vms Subject: Re: 'security holes' Message-ID: <3016@okstate.UUCP> Date: 5 Jan 88 02:58:27 GMT References: <8712292021.AA24296@ucbvax.Berkeley.EDU> Organization: Oklahoma State Univ., Stillwater Lines: 72 in article <8712292021.AA24296@ucbvax.Berkeley.EDU>, LEICHTER@VENUS.YCC.YALE.EDU ("Jerry Leichter ", LEICHTER-JERRY@CS.YALE.EDU) says: > > [Some calculations about times to find passwords] > But, more importantly are the lengths of passwords, and the general character set that they are composed of. Typically, it takes ~96 guesses to discover if a users password is 1 character. 96^2 for 2 letter passwords, and so on. From this, you get the following numbers 96^1 = 96 96^2 = 9216 96^3 = 884736 96^4 = 84934656 96^5 = 8153726976 96^7 = 75144747810816 96^8 = 7213895789838336 96^9 = 692533995824480256 96^10 = 66483263599150104576 96^11 = 6382393305518410039296 96^12 = 612709757329767363772416 96^13 = 58820136703657666922151936 96^14 = 5646733123551136024526585856 96^15 = 542086379860909058354552242176 96^16 = 52040292466647269602037015248896 Add them all up, and it takes 52588085018927767176012541830240 or fifty two nonillion. five hundred eighty eight octillion. eighty five septillion. eighteen sextillion. nine hundred twenty seven quintillion. seven hundred sixty seven quadrillion. one hundred seventy six trillion. twelve billion. five hundred forty one million. eight hundred thirty thousand. two hundred forty. attempts to find that a user has a 17 character, or larger, password (or one that does not contain one of the 96 common characters in the ASCII character set). FOLKS, THATS A BIG NUMBER... Now, if I desire to know someones password, on any machine, all I need to do is to watch them type it. I can count the characters that they type, watch their hand movements, and that gives me a pretty good indication of what their password is. From there, I could write a program to hash passwords of some close length to the number of characters that I counted, and make guesses about the relative side of the keyboard each character is on. Scared yet about letting me watch you log on? The point is, people who really desire to have access will do one of three things. Either they will obtain authorized access, they will try to break in and get caught in the act, or they will succeed, and you may never know about it. You should be worried, but you should also not be paranoid. I almost agree with Jerry Pournelle or whoever it was that said AT&T should copy protect UNIX. In one year it would be the most popular OS in the industry, because everyone would want to copy it... Gregg Wonderly Mathematics Department Oklahoma State University