PASSWORD GUESSING (is trivial)

Jim Thompson Sun Dallas IR jthomp at hemaneh.Central.Sun.COM
Thu Aug 24 14:43:29 AEST 1989


> and a resonably fast crypt() a person could *EASLY*, with a brute force
> approach, crack passwords without any major difficulty.
> tasks. 
 
> Now if someone has a real parallel machine or a C2 I could borrow i'ed
> be glad to generate some statistics with some real computing power.. ;-)

I don't know if Doug meant 'Cray 2', 'Convex C2', or something else here.
What I do know is that crypt is fairly vectorizable, and will fall to 
the Convex vector 'C' compiler as is.  (Ok, so you take out the obvioius
slowdowns..)  VC *loves* array references.  Anyway, it turns out that you can
do some blazingly huge number of (en)cryptions/sec on a Convex C1, (2000-2500).

At Convex, we had a password daemon that would fire up once per night,
and guess 'obvious' passwords, ("convex", login name, common obscenities, /usr/dict/words,
etc.  If it found that you had a naughty password, it would send you a nastygram via
email asking you to change your password.

A 4-headed C2 would be just plain wicked on this problem.
(Since you get 4 vector units all chugging at the problem.)

Also, remember that when the Internet worm strode forth last Nov,
it was as interested in 'ordinary Joe' passwords as others.  It 'used'
the information gained about your password on 'this' system to attempt
gaining access to 'that' system.  Moral?  Don't keep the same password
on all your accounts.  (But you knew that, right?)

Jim Thompson - Network Engineering - Sun Microsystems -	jthomp at central.sun.com
Member of the Fatalistic International Society for Hedonistic Youth (FISHY)
"I woudn't recommend sex, drugs, or unix for everyone, but they work for me."
					- Me (paraphrasing Hunter S. Thompson)



More information about the Comp.unix.wizards mailing list