• Next message: Beaker: "Re: Weird group problems under .99.3"
• Previous message: Doug Warner: "Re: SCSI with .98pl4"
• Maybe in reply to: The Wyvern: "Weird group problems under .99.3"
• Next in thread: Beaker: "Re: Weird group problems under .99.3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

From: donadio@wilbur.psu.edu (Beaker)
Subject: Re: Weird group problems under .99.3
Date: 15 Jan 1993 02:05:05 GMT

Jeffrey Grills (jefftep@cs.utexas.edu) wrote:
: In article <1j4jflINNa72@matt.ksu.ksu.edu> probreak@matt.ksu.ksu.edu (James Michael Chacon) writes:
: [ ... ]
: >I know a sysadmin here, who regularly runs his password file through crack
: >to find the passwords that are easy to guess by others.

: Ah, isn't this one of my favourites. Why would one do this? This is
: disgusting, and awful waste of CPU. Obviously, somewhere, this person
: has a list of possible test passwords (or a program that generates
: them). Why not compare at the time the user attempts to set a new
: password, and compare the plaintext password with the attempted list,
: and save yourself the millions of calls to crypt(), while preventing
: passwords from ever being set to something easily cracke?

Crack is a bit more complicated than this. Crack takes the passwd
file and uses 240 different rules to alter the password in an attempt
to crack them. The passwd gets saved so the next time Crack is run
it will only do the changes. The password checker in COPS does
something similar, but it is not as thorough.

I think one problem with an extensive check of the password when it gets
changed is having the password residing in memory. A skilled hacker
could check memory and get the uncifered password. This is a long
shot, but it could happen. One way to avoid this would be to run
COPS nightly to check system security.

One solution to the password problem is to use a fascist(tm) passwd
program. The one I have now does a pretty good job for a quick check
at the password. If you want more security, run Crack. I have seen
Crack get passwords that I never though it would get. If you really
want to be paranoid (especially with ethernet) you could get Kerberos.
That way password never go on the wire.

If anyone is interested i am pretty sure Crack and COPS are on
ftp.uu.net. If you get Crack, also try to locate the source to
ufc-crypt. This really helps speed things up.

• Next message: Beaker: "Re: Weird group problems under .99.3"
• Previous message: Doug Warner: "Re: SCSI with .98pl4"
• Maybe in reply to: The Wyvern: "Weird group problems under .99.3"
• Next in thread: Beaker: "Re: Weird group problems under .99.3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]