[1082] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Christian Mogensen)
Thu Oct 26 19:26:01 1995
From: mogens@Mjosa.Stanford.edu (Christian Mogensen)
To: Jeffrey Russell Horner <jhorner@cs.utk.edu>
Cc: Thomas Maslen <tmaslen@verity.com>,
Steff Watkins <Steff.Watkins@Bristol.ac.uk>,
www-security@ns2.rutgers.edu, mogens@Mjosa.Stanford.edu
In-Reply-To: (Your message of Thu, 26 Oct 95 15:33:03 D.)
<199510261933.PAA25133@rudolph.cs.utk.edu>
Date: Thu, 26 Oct 95 13:23:05 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
>What can you glean from a passwd file?
>
>Surely no one has cracked crypt()...
You forgot the smiley, right? You can't be seriously wondering if
having the password file isn't a risk for the system?
Basically, crypt() is pretty much open to all-out attack because the
password is only 8 characters long. Crypt is safe, but the way it is
implemented on unix passwords is so weak as to make dictionary attacks
easy.
Run crypt on all usernames, dictionary entries, etc. You end up with
a reverse index thats a few meg in size, but which will instantly give
you the password given a crypt'ed phrase.
There are many variations on this - the 8 character limit on passwords
is a big hole.
Christian 'webhead'
