Hacking

jpb jpb at umbio.med.miami.edu
Wed Mar 27 14:11:26 AEST 1991 

In article <1991Mar26.163720.28379 at en.ecn.purdue.edu> kidder at en.ecn.purdue.edu (Mark Stephen Kidder) writes:
>In article <1991Mar26.015635.23103 at mintaka.lcs.mit.edu> rjc at geech.gnu.ai.mit.edu (Ray Cromwell) writes:
>
>>couple of minutes of guessing is all that is needed. New students
>>just receiving accounts choose easy passwords. For instance, at my 
>>local college here, I found that 50% of the passwords in the /etc/passwd
>>file were either the user's name, or his name spelled backwards, or
>>'pass', 'passwd', and 'password.'
>>   Blaming the FSF for password 'crackers' isn't right. If the FSF machines
>>were removed from the net it wouldn't stop hacking at all. In fact, once
>>a hacker gains access to a machine (through a unsecure student account)
>>he can download the password file and crack it on his pc at home.
>                                         ^--- Not very bloody likely since
>even the most sophisticated hacker couldn't break the DES encoding method
>used.  This fact is rather obvious since there is no decoding algorithm for
>password encryption on UNIX (or any of it's cousins, i.e. DYNIX).  UNIX-like
>systems ask for the password when you log in.  Encrypt it and compare the 
>one you gave to the one stored at your login pointer in /etc/passwd.  If
>the two encrypted password are identical you're in.  And no, the odds of 
>two different passwords having the same encryption word is astronomical.

Surprise.  The technique is not to try and crack DES, but to apply the same
algorithm to a dictionary file, and then compare the output to the
target login's password field.  If you're on another unix system, this
can be fairly trivial, especially if you have access to a machine with
a source license.  If you're feeling sophisticated, you maintain a
file containing all the successful strikes you've ever had, and use it
first before going to a large dictionary or (shudder) methodical
generation of words.

Joe
--
Joe Block (jpb at umbio.med.miami.edu)
"Never send a monster to do the work of an evil genius."

More information about the Comp.unix.wizards mailing list