[1146] in linux-security and linux-alert archive
[linux-security] Re: password for over 8 charactes
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Wed Sep 11 18:28:49 1996
To: linux-security@tarsier.cv.nrao.edu
Date: Tue, 10 Sep 1996 19:46:32 +0200 (MET DST)
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
Yoji Tanaka <nulink@zip.com.au> wrote:
> I am looking for password system that allows over 8 characters for
> linux shadow password. If you know some, please email me.
Beware:
The "longer password" implementation that I've seen so far just makes
it easier for a hacker to hack the passwords once he has a copy of the
encrypted password file.
As an example: Lets assume that I choose my passwords from
/usr/dict/words. This is an invalid assumption, but it will show the
principle. A crack run would then have to handle 45000 passwords
(on my system).
When the password passes 8 chars, it shows clearly in the password file:
Only 17000 entries over 8 chars left....
Next I can run crack exhaustively (for a few chars) on the > 8 chars
part. 3 chars is about 17000 tries. Then you have the last 3
chars of the word chosen and a simple grep in the "list-of-tries" wil
suffice to bring the number of words down to a handful.
More realistically you would have a larger set of words to try. This
would make this approach even more interesting. Running exhaustively
for 4 chars is really an option.....
Roger.