Date: Sat, 14 Dec 1996 14:23:11 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: proff@iq.org (Julian Assange) Cc: security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: vulnerability in new pw suite Message-ID: <199612142123.OAA22244@phaeton.artisoft.com> In-Reply-To: <199612140135.MAA04639@profane.iq.org> from "Julian Assange" at Dec 14, 96 12:35:25 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> The FreeBSD account administration pw suite is able to produce > "random" passwords for new accounts. Due to the simplicity of the > password generation algorithm involved, the passwords are easily > predictable amid a particular range of possibilities. This range > may be very narrow, depending on what sort of information is > available to the attacker. [ ... vunerability description elided ... ] I've noticed a similar restriction on the search space is caused by enforcing password length and use of particular values (digits, control characters, and capitalization) Once we add in "non-pronouncible" and "not in dictionary" and so on, I think that eventually, in the interests of "security", users will be forced to choose from a list of 10 or so "sufficiently safe" passwords. Of course, once that happens, we'll just publish the list... any restriction on "allowed values" is an implicit restriction of the search space a cracker is required to search, and makes cracking just that much easier. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612142123.OAA22244>