[1093] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Adam Shostack)
Fri Oct 27 19:37:42 1995
From: Adam Shostack <adam@bwh.harvard.edu>
To: Julian.Anderson@Comp.VUW.AC.NZ (Julian Anderson)
Date: Fri, 27 Oct 1995 15:45:00 -0400 (EDT)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <199510270048.NAA21060@bats.comp.vuw.ac.nz> from "Julian Anderson" at Oct 27, 95 01:48:05 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Jullian wrote:
| >What can you glean from a passwd file?
| >
| >Surely no one has cracked crypt()...
|
| Nope, but it's not that strong, so you can brute-force it. That is,
|
| Because of that, if you don't have shadow passwords, you should be
| running crack or one of it's variants, simply because you should
| assume your password file has escaped. Even if you *do* have shadow
| passwords, it's not a bad idea to run it. In fact, if you run your
| own password system, you can use CrackLib it make it hard for you
| users to pick a dud password.
Its probably worth mentioning that using reusable passwords
over the net is a loss. If you allow remote access, require strong
authentication, such as S/key, deslogin, or a hardware token will
provide.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
