passwds and crypt(3)...

[P E Smee]

In article <1990Jan2.222052.915 at athena.mit.edu> jik at athena.mit.edu (Jonathan I. Kamens) writes:
>  Now, let's say that someone wants to break into your account, and
>since they don't know the various security holes that could allow them
>to become the super-user on any Unix machine :-), they want to do so by
>finding out what your password is.  They have the following tools to help them:
>
>What the program does it take each word in the password dictionary and
>encrypt it using the seed in the /etc/passwd file.  Then, it checks if
>the encrypted string which is returned is the same as your encrypted
>password string, and if it is, it has found your password!

Unstated, but implicit, is the fact that it is even worse if the perpetrator
just wants to break *some* password(s), not necessarily yours.  Having
encrypted a 'trial' password once, it can then be checked against all
encrypted passwords in /etc/passwd to see if it gets any hits.

A few years ago a couple of our undergrads used this approach against our
Multics system.  (On Multics the password file was not normally readable
by the public, but a change in default access settings at a new system
release created a 'window' at our site during which the U/Gs grabbed a
copy.)  By the time we found the parties involved, they had cracked on
the order of 85% of the passwords on the system using this approach.  
(Something like 25 users were using 'hello', sigh.)  Having access to so
many accounts, they were even doing their cracking on Multics -- but in
'invisibly-named' directories which appeared to belong to other people,
scattered liberally throughout the system.


-- 
Paul Smee, Univ of Bristol Comp Centre, Bristol BS8 1TW, Tel +44 272 303132
 Smee at bristol.ac.uk  :-)  (..!uunet!ukc!gdr.bath.ac.uk!exspes if you MUST)