Password security - Another idea
Mark A. Heilpern
heilpern at ibd.BRL.MIL
Tue Jan 3 23:19:08 AEST 1989
In article <4545 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>
>Re: using a .case file which shows the lower/upper case pattern for
>a password....
>
>But this means that login will now accept the dictionary word in lower
>case? Seems to reopen that attack (ie. going thru the dictionary) as
>login is correcting case for me as I go.
The time a dictionary search THRU THE LOGIN PROGRAM would be astronomical.
The danger in the ability of a dictionary search is in the user writing a C
program which uses the crypt() command, etc.
>
>Worse, it relies on the unreadability of these .case files in every
>user's directory, I don't think that's a good thing to rely on, if
>users are sloppy about password choosing and too lazy to remember the
>case shifts why do you believe they'll be careful about protecting
>this .case file? Besides, holes to read unreadable files are a little
>too easy to come by (also, I assume that the length of the file tells
>me how many chars in your passwd?)
1) The login program should NOT allow entry if the .case file is readable,
and since /bin/login is setuid to root, I THINK .case's attributes could
be unreadable to the user.
2) There is nothing wrong with a .case file with, say, 10 characters when
the password is only seven characters long! Additionally, the user does not
even have to be aware of what his case's are! /bin/passwd could randomly
create a new one when evoked, maybe making all of them 10 or 15 characters.
[ Allthough I don't know of a way ] if there is a way to make a file
invisible to /bin/ls, the user would not have to be aware of the file's
existance.
Have a nice Day :)
--
|\/| |
| | _ |<
/ \_(_(_)\_/ \______
More information about the Comp.unix.wizards
mailing list