Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cs.utexas.edu!rutgers!cmcl2!adm!smoke!ibd!heilpern
From: heilpern@ibd.BRL.MIL (Mark A. Heilpern )
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <230@ibd.BRL.MIL>
Date: 29 Dec 88 14:37:52 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <2271@pompeii.cs.swarthmore.edu>
Reply-To: heilpern@brl.arpa (Mark A. Heilpern (IBD) <heilpern>)
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 139

In article <2271@pompeii.cs.swarthmore.edu> schwartz@pompeii.UUCP (Scott Schwartz) writes:
}>Hiding something indicates that it is dangerous if revealed. It says,
}>basically, that encryption technology is inadequate and cannot be made
}>to work, the only reasonable protection is secrecy. Do we honestly
}>believe this? Or, worse, do we believe that security is attained by
}>layering anything we can think of onto the system?
>
}At least in terms of the current UNIX password scheme, I have the
}uncomfortable feeling that it is NOT adequate.  I'll bet that
}99% of the people reading this have either used or seen a program
}that finds a substantial number of passwords on a given system by
}encrypting the dictionary against /etc/passwd.  
}
}Put it this way:  every other part of unix has evolved, why not allow
}the password protection scheme to evolve too?
>
}As it happens, I think that Barry has a good point here.  I think
}one answer is to admit that 8 character passwords (and user id's,
}for that matter!) are too small.  Someone who knows a lot about
}encryption (not me!) should suggest a better number.
>-- 
}Scott Schwartz <schwartz@cs.swarthmore.edu>  <psuvax1!vu-vlsi!swatsun!schwartz>
I do not believe the size of the password has to be the matter of importance
here. A password which exists in /usr/dict can be decoded in a liberal 80
hours, IF the cpu is so tied up that it takes a complete second to test
one word, and only testing the 290,232 words [on my machine] that are longer
than 5 characters.
If the 2-letter key used in encryption were not known, this boosts the 80 hour
upper end to ~37 years. (80 hours * 4096 methods of encryption)
Why not store the key in an unreadable file?

Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Summary: 
Expires: 
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <2271@pompeii.cs.swarthmore.edu>
Sender: 
Reply-To: heilpern@brl.arpa (Mark A. Heilpern (IBD) <heilpern>)
Followup-To: 
Distribution: 
Organization: Ballistic Research Lab (BRL), APG, MD.
Keywords: 

In article <2271@pompeii.cs.swarthmore.edu> schwartz@pompeii.UUCP (Scott Schwartz) writes:
>>Hiding something indicates that it is dangerous if revealed. It says,
>>basically, that encryption technology is inadequate and cannot be made
>>to work, the only reasonable protection is secrecy. Do we honestly
>>believe this? Or, worse, do we believe that security is attained by
>>layering anything we can think of onto the system?
>
>At least in terms of the current UNIX password scheme, I have the
>uncomfortable feeling that it is NOT adequate.  I'll bet that
>99% of the people reading this have either used or seen a program
>that finds a substantial number of passwords on a given system by
>encrypting the dictionary against /etc/passwd.  
>
>Put it this way:  every other part of unix has evolved, why not allow
>the password protection scheme to evolve too?
>
>As it happens, I think that Barry has a good point here.  I think
>one answer is to admit that 8 character passwords (and user id's,
>for that matter!) are too small.  Someone who knows a lot about
>encryption (not me!) should suggest a better number.
>-- 
>Scott Schwartz <schwartz@cs.swarthmore.edu>  <psuvax1!vu-vlsi!swatsun!schwartz>

Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Summary: 
Expires: 
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <2271@pompeii.cs.swarthmore.edu>
Sender: 
Reply-To: heilpern@brl.arpa (Mark A. Heilpern (IBD) <heilpern>)
Followup-To: 
Distribution: 
Organization: Ballistic Research Lab (BRL), APG, MD.
Keywords: 

In article <2271@pompeii.cs.swarthmore.edu> schwartz@pompeii.UUCP (Scott Schwartz) writes:
>>Hiding something indicates that it is dangerous if revealed. It says,
>>basically, that encryption technology is inadequate and cannot be made
>>to work, the only reasonable protection is secrecy. Do we honestly
>>believe this? Or, worse, do we believe that security is attained by
>>layering anything we can think of onto the system?
>
>At least in terms of the current UNIX password scheme, I have the
>uncomfortable feeling that it is NOT adequate.  I'll bet that
>99% of the people reading this have either used or seen a program
>that finds a substantial number of passwords on a given system by
>encrypting the dictionary against /etc/passwd.  
>
>Put it this way:  every other part of unix has evolved, why not allow
>the password protection scheme to evolve too?
>
>As it happens, I think that Barry has a good point here.  I think
>one answer is to admit that 8 character passwords (and user id's,
>for that matter!) are too small.  Someone who knows a lot about
>encryption (not me!) should suggest a better number.
>-- 
>Scott Schwartz <schwartz@cs.swarthmore.edu>  <psuvax1!vu-vlsi!swatsun!schwartz>

Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <2271@pompeii.cs.swarthmore.edu>
Reply-To: heilpern@brl.arpa (Mark A. Heilpern (IBD) <heilpern>)
Organization: Ballistic Research Lab (BRL), APG, MD.

In article <2271@pompeii.cs.swarthmore.edu> schwartz@pompeii.UUCP (Scott Schwartz) writes:
>>Hiding something indicates that it is dangerous if revealed. It says,
>>basically, that encryption technology is inadequate and cannot be made
>>to work, the only reasonable protection is secrecy.
>
>At least in terms of the current UNIX password scheme, I have the
>uncomfortable feeling that it is NOT adequate.  I'll bet that
>99% of the people reading this have either used or seen a program
>that finds a substantial number of passwords on a given system by
>encrypting the dictionary against /etc/passwd.  
>
>Put it this way:  every other part of unix has evolved, why not allow
>the password protection scheme to evolve too?
>
>As it happens, I think that Barry has a good point here.  I think
>one answer is to admit that 8 character passwords (and user id's,
>for that matter!) are too small.  Someone who knows a lot about
>encryption (not me!) should suggest a better number.
>Scott Schwartz <schwartz@cs.swarthmore.edu>  <psuvax1!vu-vlsi!swatsun!schwartz>

I do not believe the size of the password has to be the matter of importance
here. A password which exists in /usr/dict can be decoded in a liberal 80
hours, IF the cpu is so tied up that it takes a complete second to test
one word, and only testing the 290,232 words [on my machine] that are longer
than 5 characters.
If the 2-letter key used in encryption were not known, this boosts the 80 hour
upper end to ~37 years. (80 hours * 4096 methods of encryption)
Why not store the key in an unreadable file?
-- 
 |\/|         |
 |  |   _     |<
/    \_(_(_)\_/ \______