Hacking

Sean Batt sean at coombs.anu.edu.au
Thu Mar 28 12:26:39 AEST 1991


pjnesser at mbunix.mitre.org (Nesser) writes:

> Someone in this thread pointed out that the way to crack passwords
> is to maintain a list of encrypted dictionary words and compare
> against that.

I use this technique from time to time to make sure the users on my
machine are choosing reasonable passwords. If you choose something
easy around here, you'll get a non-email letter with a paper on the
"right way" to choose passwords. Unfortunately, some of my users
choose the obviously difficult to crack passwords that are suggested
in the paper! How many of my users have "IXdKKasPDd" as their password?
(IE After "In Xanadu did Kubla Kahn a stately Pleasure Dome decree"). 

> I just want to point out that this is an amazingly expensive way to
> do it since you have to keep 4096 strings for each word.  Disk space
> is getting cheaper but ...  It's not that I've figured out a great
> way to do it myself but ... :-)

Ahh! Well I keep mine on ten 2.3GByte Exabyte tapes. Indexed by salt
for example. On my machine with 500 users we have 411 distinct salt
values. That certainly cuts down the search space. Of course for my
application its only necessary to record the encrypted value as we're
not interested in exactly what the password was, just the fact that it
could be {cr,h}acked.

I'm not going to make my tapes available to anyone else I'm afraid.

Sean

--
------------- Sean Sebastian Batt - sean at coombs.anu.edu.au --------  .______. 
-------- Coombs Computing Section - Telephone: +61 6 249 3296 -----  | Damn |\
-- Australian National University - GPO Box 4 Canberra City 2601 --  | Fine |/
-------------------------------------------------------------------  `------'



More information about the Comp.unix.wizards mailing list