From: The Deviant <deviant@pooh-corner.com>
To: Dave Kinchlea <security@kinch.ark.com>
Message Hash: 70144ae7a6112152ec8c61bb7d68edb6c4d483ad6439fd275f436c902f1cb557
Message ID: <Pine.LNX.3.94.961117215609.504A-100000@random.sp.org>
Reply To: <Pine.LNX.3.95.961117133536.1181L-100000@kinch.ark.com>
UTC Datetime: 1996-11-17 22:01:00 UTC
Raw Date: Sun, 17 Nov 1996 14:01:00 -0800 (PST)
From: The Deviant <deviant@pooh-corner.com>
Date: Sun, 17 Nov 1996 14:01:00 -0800 (PST)
To: Dave Kinchlea <security@kinch.ark.com>
Subject: Re: RFC: A UNIX crypt(3) replacement
In-Reply-To: <Pine.LNX.3.95.961117133536.1181L-100000@kinch.ark.com>
Message-ID: <Pine.LNX.3.94.961117215609.504A-100000@random.sp.org>
MIME-Version: 1.0
Content-Type: text/plain
On Sun, 17 Nov 1996, Dave Kinchlea wrote:
> On Sun, 17 Nov 1996, The Deviant wrote:
>
> > On Sun, 17 Nov 1996, Adam Shostack wrote:
> > > A longer salt would make running crack against a large
> > > password file slower.
> >
> > While thats all well and good, it shouldn't be necisary. If passwords are
> > shadowed, one must have root access before one can run crack against the
> > password list, at which time it is innefective.
>
> I couldn't disagree more (not that I necessarily agree or disagree with
> Adam's approach). Sure, once you have root you don't need any other
> access, until the hole is found and closed that gave root in the first
> place. After that, that /etc/shadow file with the lousy passwords (that
> seem inevitable with folks using /etc/shadow as they get complacent
> with a false sense of security) provide the would-be cracker with a set
> of local accounts to (try to) break in again. Local accounts are
> definitely an advantage should you be looking for way to break any Unix
> variant.
>
> The moral of the story is: ALWAYS ensure that whatever passwords you
> have on your unix system are not beatable by crack, don't rely upon
> hiding them because if you are wrong you are in it up to your neck!
>
> cheers, kinch
>
Oh.. you misunderstand what I'm saying... I'm not saying its unemportant
for you to have good passwords or anything like that, I'm just pointing
out that rather than replace the entire system, its more prudent to fully
install it.
I still think admins should run crack against their own lists, etc., but
that still shouldn't be a problem to a good cracker. If you've just
gotten root on a system, you start backdooring everything, not trying to
crack the password list.
--Deviant
Even God cannot change the past.
-- Joseph Stalin
Return to November 1996
Return to “The Deviant <deviant@pooh-corner.com>”