Path: utzoo!utgpu!water!watmath!clyde!rutgers!cmcl2!husc6!bbn!rochester!PT.CS.CMU.EDU!cadre!pitt!jonathan From: jonathan@pitt.UUCP (Jonathan Eunice) Newsgroups: sci.crypt Subject: Re: Unix Password Hacker Message-ID: <2861@pitt.UUCP> Date: 21 Feb 88 00:46:12 GMT References: <731@ddsw1.UUCP> <203@tijc02.UUCP> Reply-To: jonathan@vax.cs.pittsburgh.edu.UUCP (Jonathan Eunice) Distribution: na Organization: Univ. of Pittsburgh Computer Science Lines: 30 I second the opinion that posting the Unix Password Cracker is perhaps not the brightest idea someone's had in a while. The technique was well-known and discussed several times in sci.crypt, so providing a running program did not enlighten us in any substantial way. It just made it easier for casual users to try. Unix security is not terribly good to start with, and there's no sense in weakening it that much more. Locks are meant to keep honest people out; there's no sense in removing all the locks in your house just because criminals can get in anyway. On the other hand, it did raise some eyebrows. Distributed on a couple of Sun workstations, it managed to crank out a few users' passwords, including that of root (!), in a few hours. Just because a problem is NP-complete, or calculating it will take N years to run, etc, does not always stop you from finding useful solutions. The truth is that people do not choose proper passwords, do not change them often enough, and so on. I'm convinced that assigned passwords are a bad idea, because then people other than the account owner can gain access. Perhaps having the system require numbers and special characters in passwords is a good idea. Better yet, when the user sets a password, apply a heuristic to determine whether the desired password follows a distribution pattern similar to that of an English word, and deny that choice if so. ------------------------------------------------------------------------------ Jonathan Eunice ARPA: jonathan%pitt@relay.cs.net University of Pittsburgh jonathan%pitt@cadre.dsl.pittsburgh.edu Dept of Computer Science UUCP: jonathan@pitt.UUCP (412) 624-8836 BITNET: jonathan@pittvms.BITNET