From: wirzeniu@klaava.Helsinki.FI (Lars Wirzenius) Subject: Re: Weird group problems under .99.3 Date: Fri, 15 Jan 1993 11:56:35 GMT
pmacdona@sanjuan (Peter MacDonald) writes:
>I have heard that it is possible to reduce the search field
>when trying to crack passwords, if you have the source. I am
>not an expert in security (is anyone), but I do know that with
>enough processing power you can crack any password, if you
>have the algorithm used, and the encrypted string.
This is my understanding also. However, I share the opinion of the
poster upthread who didn't like shadow passwords because the current
implementation is not as good as it should be (multiple groups, and
all that). Heck, with a root /etc/passwd entry of
root::0:0::/:/bin/sh
and with all the other entries in a similar fashion, I obviously don't
care about password security at all! And why should I, I'm the only
person who has physical access to this machine (unless somebody breaks
into my room), it isn't networked, it doesn't allow dial-ins, nor any
other way to log in except via to console. Because of this, I have
little use for shadow passwords, and don't want to be pestered by
them. I don't think I'm unique, either. Therefore, it might be nice
if SLS allowed installation without shadows.
OTOH, I can readily imagine that the added complexity for Peter this
would mean isn't enough to make it worth it. And since it's possible
to live with the shadows, I can't fault him if he doesn't give the
alternative (I wouldn't, if I were in his position).
Of course, shadow passwords aren't that useful if /etc has write
permission to everybody... ;-) (Did a chmod -R a+rw / after I had a
few problems with permissions on my machine; like I said, I have few
problems with security. I'll fix it when I build my system up from
scratch the next time.)
What I would like, not instead of shadows, but as an independent
development, is allowing longer passwords (and usernames) than 8
characters. If passwords were allowed to be, say, 128 chars (just to
make the limit "big enough"), ditto for username, and people would
regularly use long passwords (16 or so), even crack should have a few
problems. I'm certain about a thousand people will point out that
many programs (and networks) will have problems with the longer
strings, but this change is inevitable sometime in the future anyway
(usernames of only 8 bytes are going to lose big time when character
sets > 8 bits per char become common).