Xref: utzoo sci.crypt:1398 comp.unix.wizards:13576 news.sysadmin:1966 Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!apple!epimass!jbuck From: jbuck@epimass.EPI.COM (Joe Buck) Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin Subject: Re: Yet Another useful paper Message-ID: <2743@epimass.EPI.COM> Date: 19 Dec 88 19:09:39 GMT References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <4420@xenna.Encore.COM> Reply-To: jbuck@epimass.EPI.COM (Joe Buck) Organization: Entropic Processing, Inc., Cupertino, CA Lines: 32 Dennis Mumaugh writes: >>As far as UNIX passwords, it further justifies the use of a shadow >>password file and the use of 64 character pass phrases. In article <4420@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: >Why? Because it shows a 20x speedup possibility? Let's do the >arithmetic again... >Given a 100 character character set and 8 characters in a password >the search space is 100^8 which is 10,000,000,000,000,000 Irrelevant, because not all passwords are equally probable. The Internet worm broke large numbers of accounts by using about five guesses obtained from the user's line in the password file, and broke quite a few more using a list of about 500 words (it's amazing how many accounts can be broken by using the twenty most common female names as guesses). People are incredibly lax about password security at most sites. Make it fast enough, and people can just crunch away using /usr/dict/words; an uneducated user is much more likely to use a word than a random group of eight characters. Since the password file is publically readable, you can just retrieve it, crunch away quietly on a different machine until you've broken the passwords you want. With a shadow password file and appropriate security logging, you can't repeatedly guess a user's password without triggering some alarms. -- - Joe Buck jbuck@epimass.epi.com, or uunet!epimass.epi.com!jbuck, or jbuck%epimass.epi.com@uunet.uu.net for old Arpa sites I am of the opinion that my life belongs to the whole community, and as long as I live it is my privilege to do for it whatever I can. -- G. B. Shaw