smith@sctc.com (Rick Smith) (03/28/91)
mjr@hussar.dco.dec.com (Marcus J. Ranum) writes: > This dictionary-attack newbie stuff is about IBM-PC BBS-weenie >level. Sure, it works, but it's nauseatingly amateurish. ^^^^^^^^^^^^ ^^^^^^^^^^ Ugh. This type of comment is nauseatingly amateurish. And rude. I don't like comments that choke off honest questions. Dictionary attacks may lack "glamour" somehow, but they _are_ effective on many systems. And it's clear from other comments in this thread that they aren't as well understood as security types might wish.
lupienj@hpwadac.hp.com (John Lupien) (04/06/91)
In article <1991Mar27.094325.24599@en.ecn.purdue.edu> kidder@en.ecn.purdue.edu (Mark Stephen Kidder) writes: >PS I learned earlier from another that UNIX does not use a DES > encryption method for the password; however, a one-way method > is used making decoding a password impossible. ^^^^^^^^^^^ To borrow a phrase from one of those "Airplane" movies, "You use that word a lot. I don't think it means what you think it means." When someone says that something is "impossible", the first thing that comes to my mind is "how long has it been impossible, and how long will it stay that way?". Certainly I don't know how to decode an encrypted UNIX password, but I think it is somewhat foolhardy to assume that nobody does. There are some very clever people around, and some of them have some very fast and capable hardware. --- John R. Lupien lupienj@hpwarq.hp.com
jik@athena.mit.edu (Jonathan I. Kamens) (04/10/91)
In article <1916@hpwala.wal.hp.com>, lupienj@hpwadac.hp.com (John Lupien) writes: |> To borrow a phrase from one of those "Airplane" movies, "You use that |> word a lot. I don't think it means what you think it means." It was "The Princess Bride," not "one of those `Airplane' movies." :-) -- Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8085 Home: 617-782-0710
bryan@intellistor.com (John Bryan) (04/11/91)
In <1916@hpwala.wal.hp.com> lupienj@hpwadac.hp.com (John Lupien) writes: >In article <1991Mar27.094325.24599@en.ecn.purdue.edu> kidder@en.ecn.purdue.edu (Mark Stephen Kidder) writes: >>PS I learned earlier from another that UNIX does not use a DES >> encryption method for the password; however, a one-way method >> is used making decoding a password impossible. > ^^^^^^^^^^^ >To borrow a phrase from one of those "Airplane" movies, "You use that >word a lot. I don't think it means what you think it means." > > ... [ deleted ] ... > >--- >John R. Lupien >lupienj@hpwarq.hp.com I can't resist. The movie in question is "The Princess Bride", not any of the Airplane movies. And the word in question there was "inconceivable!" -- ------------------------------------------------------------------------ John T. Bryan | e-mail: bryan@intellistor.com Intellistor, Inc. | UUCP: ...!csn!arrayb!bryan Longmont, CO | USPS: 2402 Clover Basin Drive, 80503 (303) 682-6527 |
jason@cs.odu.edu (Jason "dedos" Austin) (04/11/91)
In article <1916@hpwala.wal.hp.com> lupienj@hpwadac.hp.com (John Lupien) writes: -> In article <1991Mar27.094325.24599@en.ecn.purdue.edu> kidder@en.ecn.purdue.edu (Mark Stephen Kidder) writes: -> >PS I learned earlier from another that UNIX does not use a DES -> > encryption method for the password; however, a one-way method -> > is used making decoding a password impossible. -> ^^^^^^^^^^^ -> To borrow a phrase from one of those "Airplane" movies, "You use that -> word a lot. I don't think it means what you think it means." I believe that was from The Princess Bride. -> -> When someone says that something is "impossible", the first thing that -> comes to my mind is "how long has it been impossible, and how long will -> it stay that way?". Certainly I don't know how to decode an encrypted -> UNIX password, but I think it is somewhat foolhardy to assume that nobody -> does. There are some very clever people around, and some of them have some -> very fast and capable hardware. -> -> -> --- -> John R. Lupien -> lupienj@hpwarq.hp.com It's not too hard to show that it is possible to decode a password. Every time the same salt and the same password is run through the crypt function, the same code comes out. (It would have to or the thing wouldn't work at all) At the worst case, an exhaustive table from coded to decoded passwords woul; give right answers. Even if the relation is not 1-1 and each code has more than one possible decoding, any of the valid decodings would let you log in. Of course, this would be quite a large table to calculate considering all the permutations. -- Jason C. Austin jason@cs.odu.edu
richter@immd4.informatik.uni-erlangen.de (Joachim Richter) (04/16/91)
In article <JASON.91Apr10225530@lancelot.cs.odu.edu> jason@cs.odu.edu (Jason "dedos" Austin) writes: > > It's not too hard to show that it is possible to decode a >password. Every time the same salt and the same password is run >through the crypt function, the same code comes out. >(It would have to >or the thing wouldn't work at all) At the worst case, an exhaustive >table from coded to decoded passwords woul; give right answers. Even >if the relation is not 1-1 and each code has more than one possible >decoding, any of the valid decodings would let you log in. Of course, >this would be quite a large table to calculate considering all the >permutations. >-- >Jason C. Austin >jason@cs.odu.edu Right. Of course you can do that. You can also, for a given object file, find the source code, that, when compiled, gives that object code that way. No problem. Maybe it will take a while - some millions of years or so. But, since the number of source codes, that give the same object code is infinite, your chance is not so bad :-)
imp@Solbourne.COM (Warner Losh) (04/27/91)
In article <1916@hpwala.wal.hp.com> lupienj@hpwarq.hp.com (John Lupien) writes: >To borrow a phrase from one of those "Airplane" movies, "You use that >word a lot. I don't think it means what you think it means." I really hate to split hairs, but it is from "The Princess Bride", not from "Airplane". However, they are both good movies. Warner -- Warner Losh imp@Solbourne.COM We sing about Beauty and we sing about Truth at $10,000 a show.