[1088] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU ((John Sechrest))
Fri Oct 27 02:48:07 1995
To: Jeffrey Russell Horner <jhorner@cs.utk.edu>
Cc: Thomas Maslen <tmaslen@verity.com>,
Steff Watkins <Steff.Watkins@Bristol.ac.uk>,
www-security@ns2.rutgers.edu
In-reply-to: Your message of Thu, 26 Oct 1995 15:33:03 EDT.
<199510261933.PAA25133@rudolph.cs.utk.edu>
Date: Thu, 26 Oct 1995 21:13:16 -0700
From: (John Sechrest) <sechrest@cs.orst.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
--------
Jeffrey Russell Horner <jhorner@cs.utk.edu> writes:
% What can you glean from a passwd file?
%
% Surely no one has cracked crypt()...
By testing against a dictionary with "common" variations, current
machines can do more than 100,000 probes per second. That means
that you can exhastively test all common names and variations in
a day or so.... And a full exhastive search of the current
password is on the order of a month or two of compute time
with current systems....
Giving away a password, even encrypted is a big issue.
We crack our own password file and a regular basis as a way
to keep the guessable password to a minimum....
John Sechrest . Helping people use
Executive Director . computers and Internet
Computer Science Outreach . more effectively
303 Dearborn Hall .
Oregon State University . Internet: sechrest@cs.orst.edu
Corvallis Oregon 97331 . (503) 737-5562
. http://www.csos.orst.edu/
