[11862] in bugtraq
Re: Redhat 6.0 Password Issues
daemon@ATHENA.MIT.EDU (Scott Manley)
Sun Sep 12 23:40:48 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.OSF.3.91.990912232452.22400A-100000@star.arm.ac.uk>
Date: Sun, 12 Sep 1999 23:27:37 +0100
Reply-To: Scott Manley <spm@STAR.ARM.AC.UK>
From: Scott Manley <spm@STAR.ARM.AC.UK>
X-To: Alan Brown <alan@MANAWATU.GEN.NZ>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.05.9909121436490.11010-100000@mailhost.manawatu.net.nz>
> > This is a result of UNIX crypt (I believe). Standard unix passwords only
> > handle the first 8 characters of a password; RH6.0 allows you to install MD5
> > passwords, which can give you additional length, if desired.
>
> Most Linux distributions do this.
>
> Anyone relaying on DES passwd encryption these days could be said to
> have no passwd encryption at all - the entire legal 1-8 character passwd
> space will fit in less than 4Gb, so a determined cracker can fairly
> quickly determine what any given crypted password really is.
What????????? where do you get 4GB from?
there are almost 10^16 legal passwords.
PLus you're fogetting the salt which is designed to stop this preencoded
dictionary approach....
4GB maybe - if your users are instructed only to use Numbers.
