passwds and crypt(3)...

CCEL ccel at chance.uucp
Sat Jan 6 01:29:03 AEST 1990


In article <1990Jan3.103141.9903 at gdt.bath.ac.uk> exspes at gdr.bath.ac.uk (P E Smee) writes:
>In article <1990Jan2.222052.915 at athena.mit.edu> jik at athena.mit.edu (Jonathan I. Kamens) writes:

>>What the program does it take each word in the password dictionary and
>>encrypt it using the seed in the /etc/passwd file.  Then, it checks if
>>the encrypted string which is returned is the same as your encrypted
>>password string, and if it is, it has found your password!
>
>Unstated, but implicit, is the fact that it is even worse if the perpetrator
>just wants to break *some* password(s), not necessarily yours.  Having
>encrypted a 'trial' password once, it can then be checked against all
>encrypted passwords in /etc/passwd to see if it gets any hits.

Funny you should mention this, my roommate ran a program that does
just this on our college's Ultrix machine (i'll leave out the names).
Just as a test, he wanted to find all the users whose passwords were
the same as their login names. He "cracked" about 35 passwords on the
first pass, including about 25 faculty accounts (kind of disturbing
that CS faculty members would be so careless with their passwords).
The University ended up charging him about $2800.00, something about
misuse of computer time...




Randy Tidd
rtidd at mwsun@mitre.org
#define DISCLAIM TRUE



More information about the Comp.unix.questions mailing list