[1087] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Ong Guan Sin)
Fri Oct 27 01:55:18 1995
To: jhorner@cs.utk.edu (Jeffrey Russell Horner)
Date: Fri, 27 Oct 1995 11:21:13 +0800 (SST)
From: "Ong Guan Sin" <cceonggs@leonis.nus.sg>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <199510261933.PAA25133@rudolph.cs.utk.edu> from "Jeffrey Russell Horner" at Oct 26, 95 03:33:03 pm
Errors-To: owner-www-security@ns2.rutgers.edu
>
> What can you glean from a passwd file?
>
> Surely no one has cracked crypt()...
>
Yes, it is difficult to crack Unix's crypt() although it is practically
possible. But "crack", the package written for people (originally intended
for sys admin only) to do password guessing, will work very well given the
passwd file and the fact that many users tend to use simple-to-guess
passwords. With crack and some CPU power, you can easily guess 10% or so
of the passwords, and imagine a passwd file with 10,000 users .... That's
why the existence of "shadow password" mechanism -- just to protect the
*encrypted* password entries.
--
GS
