Re: Brute force against /etc/passwd?

Christopher Bibbs (chrisbib@umd.umich.edu)
Tue, 17 Jun 1997 09:14:55 -0400 (EDT)


> Another thing, on an unrelated note:
>
> How feasible now is a brute force attack against an individual Unix password
> encrypted with the standard Unix password hash function?
>
> In other words, how much longer does a crypt(3) take than a single encryption
> the DESCHALL client is doing now? My (Linux) man pages indicate that crypt(3)
> is a 56-bit DES hash, which would suggest to me that if 56-bit DES is broken,
> Unix password security is broken, too, and it's time for Unix in general to
> move to a much longer or slower hash.

Actually, the version of DES implemented in Unix systems is already "broken"
so that it takes a tad longer than normal DES. That slight increase in
insignificant when you're logging in, but in a brute force attack it really
matters.

> I'm tempted to write to Alec Muffet to inquire of his opinion about the
> feasibility of a network Crack style program on tens of thousands of fast
> computers. They say that distributed computing is the wave of the future,
> and if that's so, Unix security experts might do well to worry about the
> power of that wave.

There already is an RPC implementation of crack, but it suffers from a few
draw backs:
1) Attempting such an attack covertly is not realistic. By its very nature
it must draw attention to itself.

2) Due to the time required, it is likely that the password will change during
the attack rendering results useless outside the academic pleasure of meeting
the challenge.

3) In the end you get *one* password. Not very practicle, since we know that
a gain of $10,000 isn't an econmically sound reason to crack DES at this time
(just counting electric costs, not hardware).

I think Unix passwords are safe from DES attacks (for the time being). However,
My companies financial and future plans that must be shipped overseas with weak
encryption are *very* vulnerable. If another company (say Johnson Controls)
knew that we (Lear) had struck a deal with one of their customers (say Ford Motor Company)
to be ready to replace them in case of a work stoppage (say a UAW strike) things
might like really bad in a few months when all this came to pass. (For those of
you who drive Expeditions, all this is completely theoritical) Would that
be worth it? I'd say so. I don't care if you know my password, I care if you
know my dirty little secrets.

-- 
Christopher Bibbs  |  "Do not disrupt my carefully controlled pattern of hype or
chrisbib@umich.edu |   YOU WILL BE PUT IN A BOX WITH BILL GATES AND SHAKEN."
Lear IT Center     |     -- Kibo