Improving password security
John F. Haugh II
jfh at rpp386.Dallas.TX.US
Mon Nov 21 02:20:32 AEST 1988
In article <27987 at tut.cis.ohio-state.edu> jgreely at banjo.cis.ohio-state.edu (J Greely) writes:
>point by point:
>1. break the plaintext: trivial to do, if I can read libc.a on your
> system. Since crypt is a standard library function, the object
> file is open to anyone who wants it. Your secret plaintext is
> secret only so long as no one is allowed to use the crypt function.
No, you can call setkey() from inside of login(1). Then the cracker
has to be able to read login(1).
If you allow the bad guy to read login, you lose. If you are running
shadow password files and you let the bad guy read that, then you
lose as well. But in the normal case you would have to be root to
read the files, or have physical access to the dump tapes or system
console [ to break in at single user ].
Greely is on the right track - you can't just add one feature [ new
plaintext ] and expect that to solve all your problems.
--
John F. Haugh II +----------Quote of the Week:----------
VoiceNet: (214) 250-3311 Data: -6272 | "Okay, so maybe Berkeley is in north-
InterNet: jfh at rpp386.Dallas.TX.US | ern California." -- Henry Spencer
UucpNet : <backbone>!killer!rpp386!jfh +--------------------------------------
More information about the Comp.unix.wizards
mailing list