How secure is UNIX?
Christopher R Volpe
volpe at underdog.crd.ge.com
Tue Jun 12 23:13:43 AEST 1990
In article <1990Jun12.012339.12779 at athena.mit.edu> jik at athena.mit.edu (Jonathan I. Kamens) writes:
>
>In article <1990Jun10.183417.6226 at agate.berkeley.edu>,
>dankg at tornado.Berkeley.EDU (Dan KoGai) writes:
>
>|> I think my password was well-chosen: It is hardly English or
>|> any other language, with Uppercase and Numbers. My previous one was very
>|> random also. Yet my 10-line (now 20 and can handle even more complex cases)
>|> successfully found it: I didn't use /usr/dict/words or any sort at all.
>
> Your password may very well have been well-chosen. That's completely
>irrelevant to the argument of whether or not crypt() is adequate, since
>the way your account was broken into was by someone who read your .netrc
>file, not by someone who cracked your password by encryption.
>
Wait a minute. It sounds to me like Dan is claiming that with a 10
(or 20) line C program, he was able to find an arbitrary password
(with uppercase and numerals) via encryption. Yes, it's true, that
his account was broken into by someone who read the password from
the .netrc file, but that has nothing to do with his claim.
He says he didn't use /usr/dict/words or any sort of [word list] at all,
which implies something along the lines of an exhaustive search.
I find that highly unlikely, considering that the password encryption
mechanism is an implementation of DES, which uses a 56 bit key.
A brute force search of the keyspace is pretty unfeasable. Perhaps
I misunderstood the claim.
============================
Chris Volpe
Computer Scientist
G.E. Corporate Research and Development
volpecr at crd.ge.com
More information about the Comp.unix.questions
mailing list