Re: Brute force against /etc/passwd?

Stephen Langasek (vorlon@dodds.net)
Tue, 17 Jun 1997 11:58:31 -0500 (CDT)


On Tue, 17 Jun 1997, Duane T Williams wrote:

> Should our solving the DES challenge make me worry about my Unix password?
> I don't think so. It is vastly more likely that a friend who knows me very
> well will guess my password than it is that Rocke is going to be able to
> persuade thousands of people to volunteer their computer time to illegally
> break into my Unix account in a DESCHALL-like effort. Would Unix passwords
> be greatly improved if they were based on an encryption algorithm that no
> one could currently break? Most would not. I would still be able to guess
> my friends and colleagues passwords just as easily as I do now.

Now that's just a sign that you (and your colleagues) are choosing the
wrong passwords. :-)

Although feasible, brute-force attacks against unix password files are
*not* going to be a serious concern. There are easier ways for people to
get into systems--default system passwords, for instance, that the
administrators never bothered to change after taking to machine out of the
box. Or crack: why bother doing an exhaustive search on all possible
keys, when you can get much quicker results doing an exhaustive search on
all the words in the dictionary? (And how many of you have ever used real
words as passwords? Tsk.)

But then, if a hacker is using crack, it means he already has access to
your password file. If you want your system to be secure (or at least as
secure as the root password*), make sure it's using shadow passwords...

-Steve Langasek
-doink-

* I've heard of administrators who never changed THIS from the
out-of-the-box default, either. And I've seen crack used successfully on
root passwords...