From owner-freebsd-hackers Sun Dec 15 13:10:14 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA00451 for hackers-outgoing; Sun, 15 Dec 1996 13:10:14 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id NAA00446; Sun, 15 Dec 1996 13:10:11 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id NAA23837; Sun, 15 Dec 1996 13:39:04 -0700 From: Terry Lambert Message-Id: <199612152039.NAA23837@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: rb@gid.co.uk (Bob Bishop) Date: Sun, 15 Dec 1996 13:39:04 -0700 (MST) Cc: terry@lambert.org, proff@iq.org, security@freebsd.org, hackers@freebsd.org In-Reply-To: from "Bob Bishop" at Dec 15, 96 12:53:42 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > There are something over 10^14 usable 8 character passwords. Of these, > maybe 10^5 are in dictionaries, and maybe another 100 'guessables' per user > could be found easily by trawling the user's home directory and points > south. Throw in a few more (SO's name, phone number and the like) and maybe > you can get up to c. 2 x 10^5 passwords per user that are unsafe. That > still leaves comfortably over 10^14 comparatively safe 8 character > passwords. > > So there isn't actually a problem, it's just that those pesky users will > insist on picking passwords from the unsafe set. They use lame excuses like > "I cant remember %bSx48&J". Heh. Please define "unsafe" in the context of a functional (inaccessible for pre-salt-based attacks) shadow password system. 8-) 8-). I'm tired of having passwd not let me use whatever password I want, considering that with a shadow file, the user will have to brute-force it through /bin/login or equivalent. It seems the harder it becomes to see my post-encryption password, the more anal the passwd command becomes about making post-encryption passwords "safe" from attacks which are impossible to institute unless root has been compromised. Just my opinion about anal passwd programs... Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.