[1146] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: password for over 8 charactes

daemon@ATHENA.MIT.EDU (Rogier Wolff)
Wed Sep 11 18:28:49 1996

To: linux-security@tarsier.cv.nrao.edu
Date: Tue, 10 Sep 1996 19:46:32 +0200 (MET DST)
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)

Yoji Tanaka <nulink@zip.com.au> wrote:

> I am looking for password system that allows over 8 characters for
> linux shadow password.  If you know some, please email me.

Beware: 

The "longer password" implementation that I've seen so far just makes
it easier for a hacker to hack the passwords once he has a copy of the
encrypted password file.

As an example: Lets assume that I choose my passwords from
/usr/dict/words.  This is an invalid assumption, but it will show the
principle. A crack run would then have to handle 45000 passwords 
(on my system). 

When the password passes 8 chars, it shows clearly in the password file:
Only 17000 entries over 8 chars left.... 

Next I can run crack exhaustively (for a few chars) on the > 8 chars
part. 3 chars is about 17000 tries. Then you have the last 3
chars of the word chosen and a simple grep in the "list-of-tries" wil
suffice to bring the number of words down to a handful. 

More realistically you would have a larger set of words to try. This
would make this approach even more interesting. Running exhaustively
for 4 chars is really an option..... 

					Roger.

home help back first fref pref prev next nref lref last post