From owner-freebsd-security Sun Dec 15 05:21:15 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA25232 for security-outgoing; Sun, 15 Dec 1996 05:21:15 -0800 (PST) Received: from isbalham.ist.co.uk (isbalham.ist.co.uk [192.31.26.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA25152; Sun, 15 Dec 1996 05:19:51 -0800 (PST) Received: from gid.co.uk (uucp@localhost) by isbalham.ist.co.uk (8.8.4/8.8.4) with UUCP id NAA02088; Sun, 15 Dec 1996 13:03:59 GMT Date: Sun, 15 Dec 1996 12:53:42 GMT Received: from [194.32.164.2] by seagoon.gid.co.uk; Sun, 15 Dec 1996 12:53:42 GMT X-Sender: rb@194.32.164.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Terry Lambert , proff@iq.org (Julian Assange) From: rb@gid.co.uk (Bob Bishop) Subject: Re: vulnerability in new pw suite Cc: security@freebsd.org, hackers@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 2:23 pm 14/12/96, Terry Lambert wrote: >I've noticed a similar restriction on the search space is caused by >enforcing password length and use of particular values (digits, >control characters, and capitalization) > >Once we add in "non-pronouncible" and "not in dictionary" and so on, >I think that eventually, in the interests of "security", users will >be forced to choose from a list of 10 or so "sufficiently safe" >passwords. > >Of course, once that happens, we'll just publish the list... any >restriction on "allowed values" is an implicit restriction of the >search space a cracker is required to search, and makes cracking >just that much easier. Apologies if my irony detector is malfunctioning, but I can't let this one go :-) There are something over 10^14 usable 8 character passwords. Of these, maybe 10^5 are in dictionaries, and maybe another 100 'guessables' per user could be found easily by trawling the user's home directory and points south. Throw in a few more (SO's name, phone number and the like) and maybe you can get up to c. 2 x 10^5 passwords per user that are unsafe. That still leaves comfortably over 10^14 comparatively safe 8 character passwords. So there isn't actually a problem, it's just that those pesky users will insist on picking passwords from the unsafe set. They use lame excuses like "I cant remember %bSx48&J". Insisting on one non-alphanumeric character reduces the total search space right enough, to between 10^13 and 10^14, but it almost certainly forces the password out of the much smaller unsafe set. You can introduce a few such restrictions before the total search space falls below 10^12 which is probably good enough. At least, it's *much* better than 10^5. -- Bob Bishop (0118) 977 4017 international code +44 118 rb@gid.co.uk fax (0118) 989 4254 between 0800 and 1800 UK