Date: Sun, 15 Dec 1996 13:39:04 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: rb@gid.co.uk (Bob Bishop) Cc: terry@lambert.org, proff@iq.org, security@freebsd.org, hackers@freebsd.org Subject: Re: vulnerability in new pw suite Message-ID: <199612152039.NAA23837@phaeton.artisoft.com> In-Reply-To: <v01540b04aed9945c1391@[194.32.164.2]> from "Bob Bishop" at Dec 15, 96 12:53:42 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> There are something over 10^14 usable 8 character passwords. Of these, > maybe 10^5 are in dictionaries, and maybe another 100 'guessables' per user > could be found easily by trawling the user's home directory and points > south. Throw in a few more (SO's name, phone number and the like) and maybe > you can get up to c. 2 x 10^5 passwords per user that are unsafe. That > still leaves comfortably over 10^14 comparatively safe 8 character > passwords. > > So there isn't actually a problem, it's just that those pesky users will > insist on picking passwords from the unsafe set. They use lame excuses like > "I cant remember %bSx48&J". Heh. Please define "unsafe" in the context of a functional (inaccessible for pre-salt-based attacks) shadow password system. 8-) 8-). I'm tired of having passwd not let me use whatever password I want, considering that with a shadow file, the user will have to brute-force it through /bin/login or equivalent. It seems the harder it becomes to see my post-encryption password, the more anal the passwd command becomes about making post-encryption passwords "safe" from attacks which are impossible to institute unless root has been compromised. Just my opinion about anal passwd programs... Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612152039.NAA23837>