How secure is UNIX?

Boyd Roberts boyd at necisa.ho.necisa.oz
Tue Jun 5 10:59:39 AEST 1990


In article <1990Jun4.102422.12896 at agate.berkeley.edu> dankg at tornado.Berkeley.EDU (Dan KoGai) writes:
>
>	I don't think so:  I don't think /etc/passwd was a good idea:  It's
>encrypted.  So what?  That means you can take time to feed random string to
>encryptor, which is available, then find the matching string.
>

Dan, my man you seem to have jumped to the conclusion that UNIX isn't
secure because someone broke into your account and blew away your files.
How this was done would appear to be attributable to stupidity, and
not to underlying flaws in UNIX password security.

At this point I'd like to make the distinction between UNIX password security
and the various `security' of IP based networking utilities.  With those,
there is _no_ security.  I think RTM and various others have proved this
beyond a shadow of a doubt.  UNIX password security is secure, provided you
have chosen a reasonable password.

Sure, you can snarf /etc/passwd and try a dictionary attack.  But, you have
to get access to the machine first.  Without access to the machine it's
near impossible to break.  Shadow password files nullify this method of attack,
although I don't like this password file dichotomy.

The bottom line is that password security works.  Most systems aren't broken
into.  The ones that are broken are usually compromised by some sloppy
(ie. networking) utility or a flawed UNIX port.

So Dan, a piece of advice:

    $@$*$H$7$^$((J $@$*(J $@$D$1$F(J!


Boyd Roberts			boyd at necisa.ho.necisa.oz.au

``When the going gets wierd, the weird turn pro...''



More information about the Comp.unix.questions mailing list