(none)

JRAMSDEN%wl7.prime.com at relay.cs.net JRAMSDEN%wl7.prime.com at relay.cs.net
Thu Apr 11 01:55:03 AEST 1991


Subject:  re: Passwords
To:       (unix-wizards at brl.mil)
From:     John Ramsden (@wl1:jramsden at wl7) Mount Farm  Ext 4025
Date:     10 Apr 91  2:47 PM

In <9104100059.AA02250 at uunet.UU.NET> lupienj at hpwarq.hp.com writes:

> >                       Certainly I don't know how to decode an encrypted
> > UNIX password, but I think it is somewhat foolhardy to assume that nobody
> > does. There are some very clever people around, and some of them have some
> > very fast and capable hardware.
>
> It doesn't matter how fast or powerful the hardware is. To steal
> a quote (from where I can't remember) "You can't feed sausage
> backwards through a meat grinder and come out with a pig at the
> other end". Now that this little misconception is cleared up :)

That's true as far as it goes, but if  you  develop  a  grinder  which
takes  a  sausage at one end, and delivers several protein-based units
at the other, you can be fairly  confident  of  having  recovered  the
original  pig  if  one  of  these  entities has a curly tail and makes
oinking noises.

What I'm saying is that even if  the  encryption  function  isn't  1-1
(and  it  probably  wouldn't  be), it might be possible to reconstruct
all the strings which encrypt to the same result, and the chances  are
that  one  of  these  will  look more plausible as a password than the
others.  Even if not, any one will serve as  a  password  provided  it
conforms  to  any  extra  conditions  necessary  to  be  a kosher Unix
password, i.e.  in terms of minimum  length  and  required  characters
etc.

> The best passwords are completely random sequences.

I'd dispute that because they're difficult to remember, and  therefore
vulnerable  to  being  written down (in extreme cases on little Postit
(tm) notes stuck to the terminal or somewhere near by !).

I thought it was fairly well established fact that the  best  type  of
password  is  a  meaningful  word,  but with a twist in the tail.  For
example think of a  topical  word,  let's  say  "Schwartzkopf".   "How
clever"  I  hear  you say, "no one would ever have thought of that one
John !" (although I bet there's some jerk somewhere  who  has  thought
of it, and thinks they're the first and last to do so !)

*But* if you then add a couple of numbers or a  symbol,  to  make  say
"Sch23wartzkopf"  it  gets  converted immediately from being guessable
(at a pinch) to impossible.

In the absence of special hardware arrangements,  any  password  entry
scheme  is  vulnerable  to  being  monitored, in which case it doesn't
matter how carefully the  password  is  constructed.   The  monitoring
could  be  by  software (a front-end shell of some sort), intercepting
signals in a cable or via radio, or picking up  radio  emissions  from
CRT  screens  to  reconstruct what appears on the screen.  I even read
that MI6 (a British lot) can tell what is being typed  on  a  teletype
by  analyzing  the  characteristic sounds made by the differing letter
shapes as they impact the paper !

The only way to get round this by typed input is to use  a  procedural
approach.  For  example  the  host  would display a 10 by 10 matrix of
numbers (or letters). Then instead of a  password  the  validation  is
the  knowledge  of a set of row/column pairs. The user just enters the
value displayed at the successive positions determined by  the  pairs.
Provided  the  matrix  values  are  chosen so that the values the user
must enter don't determine a single or even a small  set  of  possible
coordinates,  the  user's  input  would  be  no  help  to a snooper in
tackling another matrix (for which  of  course  the  values  would  be
different !) Ingenious isn't it ?  (not original though alas :-(

It doesn't have to be a matrix.  It might just  be  a  column  display
followed  by  a long string of digits/letters which the column display
"indexes".  There are all sorts of variants.

>  ____Eagles may soar, but weasels don't get sucked into jet engines._____

Nice one - I'll add that to my quip file !


========================================================================
John R Ramsden                |
    (jramsden at s55.Prime.Com)  |  "... and let that be a lesson to you !"
Prime Computer Inc            |         S Hussein (victory speech)
Framingham, Mass.             |
========================================================================

DISCLAIMER: The opinions expressed  above  don't  necessarily  reflect
those  of  Prime  Computer or its subsidiaries. What's more, in case I
forget to do this ridiculous disclaimer ritual  at  any  time  in  the
future,  the  same applies to all my postings unless explicitly stated
otherwise (highly unlikely).



More information about the Comp.unix.wizards mailing list