Path: utzoo!utgpu!water!watmath!clyde!rutgers!mit-eddie!bloom-beacon!gatech!bbn!lf-server-2.bbn.com!dkovar From: dkovar@lf-server-2.BBN.COM (David Kovar) Newsgroups: sci.crypt Subject: Re: Crypt() hackers Message-ID: <632@morningdew.BBN.COM> Date: 8 Feb 88 15:42:07 GMT References: <538@ddsw1.UUCP> <8045@eddie.MIT.EDU> <637@ddsw1.UUCP> Reply-To: dkovar@morningdew.BBN.COM (David Kovar) Organization: BBN Communications Corp., Cambridge, MA Lines: 44 All replies should go to DKovar@BBN.COM and not whatever the mailer generates for a reply. In article <637@ddsw1.UUCP> dnelson@ddsw1.UUCP (Douglas Nelson) writes: > >While looking at the source for crypt.c, I noticed that it seemed that some >of the complitations seemed irrelivant to the actual end product, thus the >multiple forulating seemed only to waste time, perhaps making "brute force" >hacking much more inefficient, at best, if I understand correctly. > >I have seen a program that is only a few lines long, but takes a work from >the dictionary file (usually at /usr/dict/words) and then crypts the plain- >text word (using crypt() ) and then uses strcmp() to compare the encrypted >result to that of the the one in the /etc/passwd file. > >While this seems to work, it would only seemingly work if your password is >ideally a normal english word. I suppose the solution would be to require >users to have at least one number in their password, thus rendering a system >like that useless for all intents and purposes. > It is a very inefficient hack, but it does work. Take one Sun workstation, one program, one /usr/dict/words file, one password file, and a week of vacation and viola! Basically, it proved that about 10% of the average users pick a password that exists in /usr/dict/words. I then hacked a version of login and passwd that made sure the password was *not* in user dict words. (The former reported to the user that his password was not very secure and the latter refused to accept one that were in the dictionary.) I also put together a list of about 50 "common" passwords. Using that as the dictionary file I was able to find at least one or two passwords out of 200 on a system. All of this was basically done for my own enlightenment and to try to point out to a few people that the systems were not overly secure. Not that anyone really listened much. The program should be obvious to anyone and takes about half an hour to code in an elegant fashion. The only things that would improve it are a) a more complete set of "common" passwords and b) a faster crypt routine. -David Kovar DKovar@BBN.COM