roberts@cmr.icst.nbs.gov (John Roberts) (07/09/88)
Careful analysis shows that the best possible password is "k75LL43j". If
you want to have the greatest available security, you should change your
password to this value right away.
<For those who didn't get it, I'm JUST KIDDING. Don't do it. (See if you
can figure out why.)>
John Roberts
roberts@cmr.icst.nbs.govPAAAAAR%CALSTATE.BITNET@cunyvm.cuny.edu (07/13/88)
Received: by CALSTATE via BITNet for PAAAAAR@CALSTATE (CSUMailer (1.2));
Sat, 9 Jul 88 10:30:21 PDT
Received: by BYUADMIN (Mailer X1.25) id 8879; Sat, 09 Jul 88 11:28:12 MDT
Date: Fri, 8 Jul 88 14:51:35 EDT
Reply-To: INFO-UNIX@BRL.ARPA
Sender: I-UNIX@TCSVM
From: roberts@CMR.ICST.NBS.GOV
Subject: good passwords
Comments: To: info-unix@BRL.ARPA
To: PAAAAAR@CCS.CSUSCC.CALSTATE.EDU
Careful analysis shows that the best possible password is "k75LL43j". If
you want to have the greatest available security, you should change your
password to this value right away.
<For those who didn't get it, I'm JUST KIDDING. Don't do it. (See if you
can figure out why.)>
John Roberts
roberts@cmr.icst.nbs.gov
===== Reply from Richard Botting <PAAAAAR> ===========================
You can increase the security of passwords fairly simply by expanding the
character set involved. A randomly placed '@' or '.' is a way to stop
anyone trying to crack your account - who has never used a system with
non-alpha-numeric passwords.
Which Unix flavours (if any) permit control codes in passwords?
If you can the occasional CTRL/H may foil many 'amateur' attempts.
It is importatn for these strategies not be known - so why am I posting them!
Well if averybody starts including a strange character, then I can make my
accounts safe by not having one...
Another way to improve security is to use a dictionary, opened at random
to select two shortish words as your new passwd.
To protect novice students you can include 'passwd' in their .profile/.login
files in their home directories. This means that they have to think about
not changing it until they learn hoe to edit their .profile/.login files...
It is not difficult by the way to hack the source code for login.c so
that
(1) only N attempts can be made (N close to 3 is good)
(2) attemots that fail are printed on the console (paper is not erasable)
(3) The N+1 th attempt logs in the person into as a 'guest'
on out system the shell for guests (bona fide and accidental)
is a hyper simple BBS with the abillity to send and read mail.
(use ful for people who forget their password).
I did thses things and have had the system running 24 hours a day
with phone number published nationally and locally - with nobody
yet managing to crack the system.
Here is a final experimental idea. Replace pass *words* by pass *phrases*.
In other words the user remembers 'Shall I compare the to a summers day'
and types SIcttasd.
THis looked good until I read one of St. Isaak Asimov mystery tales that
has this type of password figured out by a waiter.
Any other ideas????
Dick Botting
PAAAAAR@CCS.CSUSCC.CALSTATE(doc-dick)
paaaaar@calstate.bitnet
PAAAAAR%CALSTATE.BITNET@{depends on the phase of the moon}.EDU
Dept Comp Sci., CSUSB, 5500 State Univ Pkway, San Bernardino CA 92407
Disclaimer: What with my brain, my fingers, this Mac, the PDP, the CSU CYBERS
Transmission errors, your machine, terminal eyes and brain..
I probably didn't think what you thought you just read any way!strong@tc.fluke.COM (Norm Strong) (07/15/88)
Actually, the best way to gain access to some else's files is to: BRIBE THE SUPERUSER -- Norm (strong@tc.fluke.com)
strong@tc.fluke.COM (Norm Strong) (07/15/88)
And if you can't bribe the superuser, here's another way to gain access to some poor fool's files. After you're sure he's logged in, have the receptionist call him and tell him that he's supposed to attend a meeting in Room xxx right away. When he leaves his desk, run over to his terminal and copy all his files into your directory. -- Norm (strong@tc.fluke.com)
cmiller@sunspot.UUCP (Charlie Miller) (07/20/88)
In article <4451@fluke.COM> strong@tc.fluke.COM (Norm Strong) writes: >And if you can't bribe the superuser, here's another way to gain access to >some poor fool's files. > >After you're sure he's logged in, have the receptionist call him and tell him >that he's supposed to attend a meeting in Room xxx right away. When he leaves >his desk, run over to his terminal and copy all his files into your >directory. >-- >Norm (strong@tc.fluke.com) How about leaving a program running on a terminal, say in a student terminal room, that mimics the standard login prompt? Then just file away the user name and password...etc. Charlie (cmiller@sunspot.UUCP)
todd@uop.edu ( Todd/Dr. Nethack ) (07/20/88)
Trojan horses, copy the files over... goodness! Why don't you guys use wire taps? Lots easier!! There are other ways as well.. You don't even have to have to cut into the wires to gain access!! Jeez!! No password in the world is safe against attack like that!
gph@hpsemc.HP.COM (Paul Houtz ) (07/21/88)
cmiller@sunspot.UUCP (Charlie Miller) writes: >How about leaving a program running on a terminal, say in a student >terminal room, that mimics the standard login prompt? Then just file >away the user name and password...etc. It's been done before, charlie. But it's a GREAT idea that works nearly every time. I know. I've used it myself.
brianm@sco.COM (Brian Moffet) (07/21/88)
In article <1624@uop.edu> todd@uop.edu ( Todd/Dr. Nethack ) writes:
+
+Why don't you guys use wire taps?
+
+You don't even have to have to cut into the wires to gain access!!
Except for terminals which use light fiber as their means of communications.
There is no way of tapping these without cutting the wire, and even then
you need an incredible amount of technology available.
--
Brian Moffet brianm@sco.com {uunet,decvax!microsof}!sco!brianm
The opinions expressed are not quite clear and have no relation to my employer.
'Evil Geniuses for a Better Tommorrow!'randy@umn-cs.cs.umn.edu (Randy Orrison) (07/22/88)
In some unknown article cmiller@sunspot.UUCP (Charlie Miller) writes: |How about leaving a program running on a terminal, say in a student |terminal room, that mimics the standard login prompt? Then just file |away the user name and password...etc. Our reaction to this in the University of Minnesota Math Dept. computer lab was to tell students to turn their terminals off when they were done. Our nice Tellab box would disconnect them from the computer and when the terminal was turned back on re-issue the network prompt. (Guaranteed real) Of course, the people running programs like the above wouldn't turn their terminals off, so the consultants went around turning them off in their spare time. We did this in response to problems reported in other labs. Never had any trouble in our own. -randy -- Randy Orrison, Control Data, Arden Hills, MN randy@ux.acss.umn.edu {bungia, uunet!hi-csc, rutgers, sun}!umn-cs!randy "I consulted all the sages I could find in Yellow Pages, but there aren't many of them." -APP
aglew@urbsdc.Urbana.Gould.COM (07/27/88)
>Except for terminals which use light fiber as their means of communications. >There is no way of tapping these without cutting the wire, and even then >you need an incredible amount of technology available. Recently read that researchers at IBM have succeeded in wiretapping optic fiber, by shining a laser through the side of the fiber. The light passing through the length of the fiber generates heat through loss, which changes the refractive index and perturbs the beam shining from the side. Of course, you have to get access to the fiber - or do you? Want to bet that optical fiber cladding isn't transparent to some laser or maser frequencies? aglew@gould.com
gwyn@brl-smoke.ARPA (Doug Gwyn ) (07/29/88)
In article <681@viscous> brianm@sco.COM (Brian Moffet) writes: -In article <1624@uop.edu> todd@uop.edu ( Todd/Dr. Nethack ) writes: -+Why don't you guys use wire taps? -+You don't even have to have to cut into the wires to gain access!! -Except for terminals which use light fiber as their means of communications. -There is no way of tapping these without cutting the wire, and even then -you need an incredible amount of technology available. Well, that's not very widespread yet, but even so, fiber-optic cable can be tapped without severing the fiber.