From: pmacdona@sanjuan (Peter MacDonald) Subject: Re: Weird group problems under .99.3 Date: Fri, 15 Jan 1993 23:03:13 GMT
In article <mcampbel.727103210@eola.cs.ucf.edu> mcampbel@cs.ucf.edu (Mike Campbell ) writes:
>pmacdona@sanjuan (Peter MacDonald) writes:
...
>The test of a "secure" crypt, (note quotes), or any other security measure
>is the ability, or lack thereof, to crack passwords with the algorithm or
>source in hand.
>
>The crypt algorithm, as well as DES etc is well known. What makes them good
>is that they're STILL virtually unbreakable except with huge amounts of
>processing power.
>
>Yes, availabilty of source may make it somewhat easier, but that's almost a
>red herring. Making an EXTREMELY difficult problem 'somewhat' easier leaves
>it still extremely difficult.
In the real world, most sysadmins won't check to see if users passwords
are easily guessable (in spell dict etc). So mailing the /etc/passwd
file out to an external system (by an internal user) for cracking
purposes is a real possibility. Or using crack locally is a very
real possibility. If the encrypted passwords are readily available
obvious passwords will be readily cracked.
It is not extremely difficult to find obvious passwords. Somebody
else mentioned using arrays of cracking machines to split the work.
Sure, the sysadmin could check to eliminate them, but shadow passwords
ensures that he/she doesn't need to, because automated attacks
are very difficult and/or are logged.
However, I agree that shadow passwords has/is causing a bit of
confusion to new users. And more work is needed. But they
are here to stay in SLS.
Peter