[1084] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Gintaras Richard Gircys (GG148))
Thu Oct 26 23:17:08 1995
From: "Gintaras Richard Gircys (GG148)" <Rich.Gircys@empac.com>
cc: www-security@ns2.rutgers.edu
To: mogens@mjosa.stanford.edu (Christian Mogensen)
In-reply-to: Message from Thu, 26 Oct 1995 13:23:05 -0800.
<9510262023.AA29968@Mjosa.Stanford.edu>
Date: Thu, 26 Oct 1995 17:37:06 -0700
Errors-To: owner-www-security@ns2.rutgers.edu
> Basically, crypt() is pretty much open to all-out attack because the
> password is only 8 characters long. Crypt is safe, but the way it is
> implemented on unix passwords is so weak as to make dictionary attacks
> easy.
>
there's a number of bsd os'es available that implement and support passwd
greater than 8 chars.
> There are many variations on this - the 8 character limit on passwords
> is a big hole.
>
the big hole is not the 8 char limit - the big hole is poor passwords. there's
only one type of password that is acceptable today: random gibberish (mean
gibberish - nothing phonetic even) created by a RNG seeded by a non
deterministic source (some good ones available). a really random 8 char
passwd will make brute force attack not much fun. now do this with 12 char
passwd and things start looking good.
have fun,
rich
