Path: utzoo!utgpu!water!watmath!clyde!rutgers!ames!nrl-cmf!cmcl2!brl-adm!brl-smoke!gwyn From: gwyn@brl-smoke.ARPA (Doug Gwyn ) Newsgroups: sci.crypt Subject: Re: Crypt() hackers Message-ID: <7224@brl-smoke.ARPA> Date: 8 Feb 88 16:02:45 GMT References: <538@ddsw1.UUCP> Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) ) Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 33 In article <538@ddsw1.UUCP> dnelson@ddsw1.UUCP (Douglas Nelson) writes: >I heard something about the regular old crypt() on most versions of Unix has >been cracked by a program??? Not too long ago, the Crypt Breaker's Workbench was posted to one of the net newsgroups (I forget which, probably comp.sources.unix). It doesn't exactly automatically crack the encryption, but it does provide the interactive tools to help you do it, along with some clever guessing algorithms. I tried it out on a random collection of "crypt"ed files, and it did indeed help me crack them in short order. Very nice work. By the way, this was the "crypt" UTILITY, not the crypt() library function. The former is basically a trivialized Hagelin machine and the latter is a salted version of the DES. >Being a security adviser for our system, I would >like to see how this was done, and what could be done to prevent it. Easy: Don't use "crypt" to protect anything against more than the casual browser, if that. By the way, you should move all those crypt()ed passwords OUT of /etc/passwd and into a file that is not publicly readable! There are programs that simply crypt() a modest dictionary of probable passwords (using the appropriate salts) and try to match the results against the entries in /etc/passwd. A lot of matches turn up, on most systems. By hiding the encrypted passwords, you prevent such programs from working. Then the only avenue of attack on the passwords (assuming the system is otherwise properly administered) is to check passwords by using the system utilities such as "su" and "login" that validate passwords, but these are slow and may log the break-in attempts so that the effort is spotted long before it succeeds.