Yet Another useful paper

Phil Karn karn at ka9q.bellcore.com
Wed Dec 21 06:03:32 AEST 1988


I too have my doubts about the effectiveness of shadow password files.  My
fear is that it will make administrators complacent; they'll reason that
since no one can get at the file, then there's no need to ensure on a
regular basis that people pick hard-to-guess passwords.

The next thing you'd know, the crackers would be back because they figured
out somebody's trivial password by trial and error through the login prompt.
It doesn't take very long to try the simple permutations even that way.

I think the password file should remain publicly readable, thereby giving
the administrators more of an incentive to police it regularly for
easy-to-guess passwords. I'd also like to see a standard "key crunching"
algorithm for transforming a password (or phrase) longer than 8 characters
into a 56-bit DES key. Such a standard would be useful for encryption
programs as well.  A 56-bit search space is well beyond the brute-force
abilities of most crackers (though perhaps not the NSA) **IF** the keys are
widely and evenly distributed within it.

Phil



More information about the Comp.unix.wizards mailing list