Path: utzoo!attcan!uunet!husc6!mailrus!ames!joyce!distek4!mckenney From: mckenney@distek4.uucp (Paul E. McKenney) Newsgroups: comp.protocols.tcp-ip Subject: Re: password aging (from worm discussion) Message-ID: <15005@joyce.istc.sri.com> Date: 21 Nov 88 19:43:53 GMT References: <8811181630.AA10668@uc.msc.umn.edu> <8811181901.AA12769@pinocchio.UUCP> Sender: nobody@joyce.istc.sri.com Reply-To: mckenney@distek4.UUCP (Paul E. McKenney) Organization: SRI International, Menlo Park CA Lines: 56 In article <8811181901.AA12769@pinocchio.UUCP> bzs@pinocchio.UUCP (Barry Shein) writes (in regard to shadow password files): >>> You're turning the file into pure gold. >> [ . . . ] >>But even if someone did capture a copy of a shadow pw file, you'd only be >>in the same situation you always were when /etc/passwd contained passwds. >>So is it really the kind of catastrophe you suggest? >> Stuart Levy >That's the idealized situation. In reality once you've decided that >the security of your system depends on the read security of one file >then any breech of that must be responded to, common sense would >dictate it. Otherwise, why did you make it unreadable? I don't think >going forth with the idea "oh, we did it, but we never *really* needed >to, it doesn't matter if a copy got out" is a rational approach. > [ . . . ] >I still contend it's a bad idea, concentrate on the other aspects. >If some form of publicly readable encryption is deemed impossible >as a concept I sincerely hope that argument gets published. > -Barry Shein, ||Encore|| World-readable encrypted passwords allow an attacker to verify that he has correctly guessed a particular password, and to perform this verification on a host other than the one being attacked. This will allow the attacker to crack a significant fraction of the passwords (I have seen claims that over 30% of passwords are easily guessed) without leaving any traces of his attack, aside from a single (possibly legitimate) access to the system using the privileges of a normal user. Even if all passwords are well-chosen, the attacker has a non-zero chance of guessing a given password. If the attacker has enough fast hardware at his disposal, he may in fact have a pretty good chance. And there is always the chance that someone might come up with a clever attack on DES . . . Given a properly implemented and configured shadow password file, the attacker must have privileged access to the machine to get the encrypted passwords (assuming that all people that -do- have such know not to release the encrypted passwords). The attacker can of course use the target host's own login prompt to verify guesses at passwords, but this sort of activity should alert the host's administrators. If someone who does not have legitimate privileged access to the machine is seen with a list of the encrypted passwords, it can be assumed that the host's (network's) security has been compromised, and appropriate steps can be taken. It is still a good idea to encrypt the passwords (rather than relying solely on the filesystem permissions) in order to reduce vulnerability to the infamous ``disgruntled employee'' security hole. In short, the idea behind shadow password files is to make it at least as difficult to crack a password as it is to crack the system itself. This is an especially good idea for machines that have a password for the user ``root''. Thanx, Paul