Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!ucsd!ames!haven!adm!smoke!ibd!heilpern From: heilpern@ibd.BRL.MIL (Mark A. Heilpern ) Newsgroups: comp.unix.wizards Subject: Re: Password security - Another idea Message-ID: <233@ibd.BRL.MIL> Date: 3 Jan 89 13:19:08 GMT References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <2271@pompeii.cs.swarthmore.edu> <4523@xenna.Encore.COM> <232@ibd.BRL.MIL> <4545@xenna.Encore.COM> Reply-To: heilpern@brl.arpa (Mark A. Heilpern (IBD) ) Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 40 In article <4545@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: > >Re: using a .case file which shows the lower/upper case pattern for >a password.... > >But this means that login will now accept the dictionary word in lower >case? Seems to reopen that attack (ie. going thru the dictionary) as >login is correcting case for me as I go. The time a dictionary search THRU THE LOGIN PROGRAM would be astronomical. The danger in the ability of a dictionary search is in the user writing a C program which uses the crypt() command, etc. > >Worse, it relies on the unreadability of these .case files in every >user's directory, I don't think that's a good thing to rely on, if >users are sloppy about password choosing and too lazy to remember the >case shifts why do you believe they'll be careful about protecting >this .case file? Besides, holes to read unreadable files are a little >too easy to come by (also, I assume that the length of the file tells >me how many chars in your passwd?) 1) The login program should NOT allow entry if the .case file is readable, and since /bin/login is setuid to root, I THINK .case's attributes could be unreadable to the user. 2) There is nothing wrong with a .case file with, say, 10 characters when the password is only seven characters long! Additionally, the user does not even have to be aware of what his case's are! /bin/passwd could randomly create a new one when evoked, maybe making all of them 10 or 15 characters. [ Allthough I don't know of a way ] if there is a way to make a file invisible to /bin/ls, the user would not have to be aware of the file's existance. Have a nice Day :) -- |\/| | | | _ |< / \_(_(_)\_/ \______