Path: utzoo!utgpu!water!watmath!clyde!cbosgd!ihnp4!gargoyle!ddsw1!dnelson
From: dnelson@ddsw1.UUCP (Douglas Nelson)
Newsgroups: sci.crypt
Subject: Re: Crypt() hackers
Message-ID: <637@ddsw1.UUCP>
Date: 5 Feb 88 04:11:21 GMT
References: <538@ddsw1.UUCP> <8045@eddie.MIT.EDU>
Reply-To: dnelson@ddsw1.UUCP (Douglas Nelson)
Organization: Traveller's Aid, Mundelein, IL
Lines: 31


While looking at the source for crypt.c, I noticed that it seemed that some
of the complitations seemed irrelivant to the actual end product, thus the
multiple forulating seemed only to waste time, perhaps making "brute force" 
hacking much more inefficient, at best, if I understand correctly.

I have seen a program that is only a few lines long, but takes a work from
the dictionary file (usually at /usr/dict/words) and then crypts the plain-
text word (using crypt() ) and then uses strcmp() to compare the encrypted
result to that of the the one in the /etc/passwd file.

While this seems to work, it would only seemingly work if your password is
ideally a normal english word.  I suppose the solution would be to require
users to have at least one number in their password, thus rendering a system
like that useless for all intents and purposes.

Would someone be able to get a copy of Bob Baldwin's "Crypt breaker's work-
shop?"  I would very much like to take a look at that.

I will gladly send anyone the C source for that dictionary brute-force code
that I have if anyone has any vague interest in seeing it.  It is quite
logical at how one would go at it though...

Thanks for all your comments, any questions/comments/answers/threats can be
sent to me at:


------------------
Douglas Nelson
dnelson@ddsw1.UUCP
------------------