(none)
JRAMSDEN%wl7.prime.com at relay.cs.net
JRAMSDEN%wl7.prime.com at relay.cs.net
Thu Apr 11 01:55:03 AEST 1991
Subject: re: Passwords
To: (unix-wizards at brl.mil)
From: John Ramsden (@wl1:jramsden at wl7) Mount Farm Ext 4025
Date: 10 Apr 91 2:47 PM
In <9104100059.AA02250 at uunet.UU.NET> lupienj at hpwarq.hp.com writes:
> > Certainly I don't know how to decode an encrypted
> > UNIX password, but I think it is somewhat foolhardy to assume that nobody
> > does. There are some very clever people around, and some of them have some
> > very fast and capable hardware.
>
> It doesn't matter how fast or powerful the hardware is. To steal
> a quote (from where I can't remember) "You can't feed sausage
> backwards through a meat grinder and come out with a pig at the
> other end". Now that this little misconception is cleared up :)
That's true as far as it goes, but if you develop a grinder which
takes a sausage at one end, and delivers several protein-based units
at the other, you can be fairly confident of having recovered the
original pig if one of these entities has a curly tail and makes
oinking noises.
What I'm saying is that even if the encryption function isn't 1-1
(and it probably wouldn't be), it might be possible to reconstruct
all the strings which encrypt to the same result, and the chances are
that one of these will look more plausible as a password than the
others. Even if not, any one will serve as a password provided it
conforms to any extra conditions necessary to be a kosher Unix
password, i.e. in terms of minimum length and required characters
etc.
> The best passwords are completely random sequences.
I'd dispute that because they're difficult to remember, and therefore
vulnerable to being written down (in extreme cases on little Postit
(tm) notes stuck to the terminal or somewhere near by !).
I thought it was fairly well established fact that the best type of
password is a meaningful word, but with a twist in the tail. For
example think of a topical word, let's say "Schwartzkopf". "How
clever" I hear you say, "no one would ever have thought of that one
John !" (although I bet there's some jerk somewhere who has thought
of it, and thinks they're the first and last to do so !)
*But* if you then add a couple of numbers or a symbol, to make say
"Sch23wartzkopf" it gets converted immediately from being guessable
(at a pinch) to impossible.
In the absence of special hardware arrangements, any password entry
scheme is vulnerable to being monitored, in which case it doesn't
matter how carefully the password is constructed. The monitoring
could be by software (a front-end shell of some sort), intercepting
signals in a cable or via radio, or picking up radio emissions from
CRT screens to reconstruct what appears on the screen. I even read
that MI6 (a British lot) can tell what is being typed on a teletype
by analyzing the characteristic sounds made by the differing letter
shapes as they impact the paper !
The only way to get round this by typed input is to use a procedural
approach. For example the host would display a 10 by 10 matrix of
numbers (or letters). Then instead of a password the validation is
the knowledge of a set of row/column pairs. The user just enters the
value displayed at the successive positions determined by the pairs.
Provided the matrix values are chosen so that the values the user
must enter don't determine a single or even a small set of possible
coordinates, the user's input would be no help to a snooper in
tackling another matrix (for which of course the values would be
different !) Ingenious isn't it ? (not original though alas :-(
It doesn't have to be a matrix. It might just be a column display
followed by a long string of digits/letters which the column display
"indexes". There are all sorts of variants.
> ____Eagles may soar, but weasels don't get sucked into jet engines._____
Nice one - I'll add that to my quip file !
========================================================================
John R Ramsden |
(jramsden at s55.Prime.Com) | "... and let that be a lesson to you !"
Prime Computer Inc | S Hussein (victory speech)
Framingham, Mass. |
========================================================================
DISCLAIMER: The opinions expressed above don't necessarily reflect
those of Prime Computer or its subsidiaries. What's more, in case I
forget to do this ridiculous disclaimer ritual at any time in the
future, the same applies to all my postings unless explicitly stated
otherwise (highly unlikely).
More information about the Comp.unix.wizards
mailing list