[TUHS] Recovered /etc/passwd files

Michael Kjörling michael at kjorling.se
Sun Oct 6 03:29:44 AEST 2019 

On 3 Oct 2019 18:51 +0000, from finnoleary at inventati.org (Finn O'Leary):
> password was something interesting like './,..,/' (it was entirely
> punctuation characters, was around three different characters in total, and
> was pretty damn short).

I'm a bit late to the party here (it's been a crazy week for me and
I'm only just now starting to catch up), but don't forget that hashed
Unix passwords back then were limited to eight bytes (actually I
believe the hard limit was 64 bits' worth of password, so if your
system used less than 8 bits per character, you could theoretically
cram more _characters_ into the password, but not more _entropy_,
which topped out at 2^64 no matter what you did, and in practice a
fair bit less because you wanted to be able to type it in).

Of course, this wasn't a problem in practice when even just hashing a
single candidate password took noticable fractions of a second. At 100
ms per hash, while you could exhaustively search the lower
alphanumerics four characters space within about two days (my
calculator says 1.944 * 86400 seconds for that) if you could hog the
computer for everyone, by the time you got to six characters the same
search would take almost 7 years, and eight characters the better part
of 9000 years (assuming you kept running it on the same hardware for
the duration).

Adding uppercase A-Z alongside lowercase a-z and 0-9 increases the
exhaustive search time even for the four characters password space to
about 17 days at 100 ms per hash. So with no additional information
for an attacker, even a [a-zA-Z0-9]{4} password was tolerably secure,
and a [a-zA-Z0-9]{5} one was more than good enough if you changed it
once a year (would take about three years to crack at 100 ms/hash).

William Cheswick mentioned 8e9 hashes per second. While that sounds
low for good ol' Unix crypt() to me, at that rate, an exhaustive
search of [a-z0-9]{8} would take about 353 days, again according to my
calculator. [a-z0-9]{4} would finish in about 18 seconds. My _guess_,
without having looked up current numbers, is that these figures are at
least some two orders of magnitude too high given modern hardware.
Just look at EFF's good ol' Deep Crack.

I wasn't really around much at the time, but if _The Cuckoo's Egg_ is
to be believed, the bigger problem was that people in general weren't
any better at choosing good passwords (or keeping them secret) back
then than they are today. That honestly wouldn't particularly surprise
me. Technology advances, but people remain largely the same?

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
  “The most dangerous thought that you can have as a creative person
              is to think you know what you’re doing.” (Bret Victor)

More information about the TUHS mailing list