[2687] in bugtraq
Re: Selecting Good Passwords
daemon@ATHENA.MIT.EDU (John Orthoefer)
Tue Jun 4 23:10:19 1996
Date: Tue, 4 Jun 1996 15:05:52 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: John Orthoefer <jco@bbn.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
mdr@vodka.sse.att.com wrote:
> [stuff about automatic password generation]
The routine to generate random passwords is important that you know
about your random number generator. Since most random number
generators have cycles in them. So with analysis of the seeding
mechnisim and the random number generator you could do attack such as.
if the seed is generated based on PID
o Look for users using the password program and record
the pid of the process.
o generate all passwords based on PIDs the system will
give user level passwords.
if the seed is based on time
o check the time on the password file, if the time
changes generate back all passwords with in a few
minutes of the time the password file changed.
o snapshot the password file every 24 hours, every
password which has changed, generate all passwords for
the last 24 hours. (Use of the last command could
also tell what hours you are intressed in.)
Remeber the set of all unix passwords is preaty large, if you elemenate
easy password you are still making the working set of possible passwords
smaller (no need to test the dictionary because the password program
won't let you enter those.)
Salts are good, but if you have the password file then you know all the
salts your intressed in.
> [good stuff about reusable passwords]
Cost-anaylsis planning is required to answer security v benefit
questions. I see VERY few people doing this when they implement
security and it bugs me.
"Think before you leap!" a good rule to follow.
johno
