From: vince@victrola.sea.wa.us (Vince Skahan) Subject: Re: Weird group problems under .99.3 Date: Sat, 16 Jan 1993 02:16:41 GMT
magnus@brisk.ii.uib.no (Magnus Y Alvestad) writes:
>You say that the availability of crypt as source code is a security
>problem, or rather - that it makes it simpler to break passwords.
>Do you really think crypt is reversible?
>If you can do that, you're a rich man.
it doesn't have to be reversible, it just has to be documented so you can
do a brute force attack encrypting against a dictionary. Unfortunately,
there are many super-fast crypt() clones out there that make it a significant
risk to have visible encrypted password strings, hence the use of shadow
passwords to make it at least somewhat more difficult to crack 'em.
it's not the total solution, but it's a significant improvement.
I've never gotten less than 15% cracked passwords when I've run some of
the usual brute force attack programs against a password file with more
than 50 users in it (at places where I've worked as a sys-admin).
--
---------- Vince Skahan --------- vince@victrola.sea.wa.us ----------
+++ A Waffle Iron - Linux Division +++