Re: Isn't it a security hole...
On 16 Aug 1996, Rob Browning wrote: > It's too bad we can't support longer passwords. Not only are longer > ones easier to remember sometimes, but they are harder to break. > Something along the lines of the PGP passphrase. I've noticed something curious on various Unices: I can have a 27-character-long password any time I want. For logins, though, login only cares about the first eight characters. But to change the password, I have to enter the entire thing. I haven't tried this on Linux (yet); I'm talking more along the lines of SunOS, Solaris 2.x, maybe AIX 3.x. > I'm sure there's some historical, or backward compatibility reason why > we can't... Sure, that's probably the reason. The cult of "backward compatibility" IS, after all, responsible for far more heinous crimes, such as DOS' longevity... David [EMAIL PROTECTED] aka [EMAIL PROTECTED] Office: 3503 WeH, x86720 Go to http://www.harrybrowne96.org/ MTFBWY
Re: Isn't it a security hole...
Casper BodenCummins <[EMAIL PROTECTED]> writes: > Fewer than that. The range of ASCII characters used in passwords is > quite small: perhaps ~= 110, optimisticly taking into account control > characters and punctuation marks. Then, many people don't use the full 8 > characters, so we have to reduce the _average_ number again. I'd > >tentatively suggest 6 characters. It's too bad we can't support longer passwords. Not only are longer ones easier to remember sometimes, but they are harder to break. Something along the lines of the PGP passphrase. I'm sure there's some historical, or backward compatibility reason why we can't... -- Rob
RE: Isn't it a security hole...
>> Thus, I propose a new word be adopted to describe the clever >> and benign inventor of quick technical fixes. Rasher, from >> "Shockwave Rider" usage, is a possible candidate, except >> Brunner's rashers seemed to operate too much outside the >> boundaries of ethics, delving into industrial espionage and >> even sabotage, as I recall. Ideas, anyone? > Good word, but it tends to make me think of bacon. Just like crackers suggest cheese. It also suggests poor-quality fixes - rash ones. I've read a very good argument for 'spider' as a candidate. There are many parallels to be drawn between the behaviour of spiders and, er, those other people. However, I go back to my earlier point that you'll very likely fail to introduce a new word without the cooperation of the (great many) people you're labelling. You also need a really good word for it to stick, and I'm afraid hacker is a damned good word. >Casper Boden-Cummins.
RE: Isn't it a security hole...
>>> If the max passwd >>> length is 8 bytes, then at a quick estimate it seems that there are >>> 256^8 * 4096 different possible passwords...? > Fewer than that. The range of ASCII characters used in passwords is quite small: perhaps ~= 110, optimisticly taking into account control characters and punctuation marks. Then, many people don't use the full 8 characters, so we have to reduce the _average_ number again. I'd >tentatively suggest 6 characters. > >> If a password were a random sequence of characters, they would be nearly >> unbreakable, but then people would have to write them down somewhere and >> that is an even bigger security risk in many ways. Perhaps, but I get by with random characters for some of my passwords. It's tough to remember them, but you can't beat 'em. To invent them, I type in strings of random characters until find one that feels comfortable to type, and that's the one I learn. > >> Brian >> ( [EMAIL PROTECTED] ) > >>--- >>--- >> In theory, theory and practice are the same. In practice, they're not. > Good point. >Casper Boden-Cummins.
Re: Isn't it a security hole...
> >Actually, cracking a unix passwd file is quite easy, even for those > >with minimal computer knowledge. With widely available programs like Crack > >(UNIX), Crakerjack (DOS), and root_crack(DOS) anybody with a CPU >386 can > >crack the DES encryption with a bit of time. > > My understanding of this situation (and please correct me if I'm wrong) is > that the crypt() routine used by passwd is a truly one-way hashing algorithm, > i.e. there simply is no way to go from an encrypted password back to the > original. Correct. > Actually, I seem to remember reading that the crypt routine uses > the password in combination with a "random" (based on time of day) string of > bits (called the "salt", can't remember the length, I think it was 12 bits, > giving 4096 possible encryptions of any given string), and that it uses this > new salt+password as its key in encrypting a string of 0's. Given this, the > only way to crack the passwords is to compile a dictionary of possible > passwords, by taking all the likely strings to be used as passwords and > encrypting each one 4096 times, once for each salt. Because the same salt must be used on verification as on generation, the salt is stored as the first two characters of the 13 character encrypted password is thus easily obtained. Without this, there would be no way to verify a password other than trying it 4096 different ways. > Once you have this > dictionary made, it can be distributed to anyone to use as the foundation of > their crack attack, but if you wish to hack someone personally, i.e. by > checking their first name, etc., you'll have to add these to the dictionary > (unless common names are also part of the original dictionary). The "Crack" program automatically adds such words (obtained from user-info and any readable files from the user's directory). > And it should > be plain how anyone with reasonable password-selection skills can be pretty > much immune to this attack, e.g. by using non-word strings, by having > punctuation, by varying the case of your characters, etc. If the max passwd > length is 8 bytes, then at a quick estimate it seems that there are > 256^8 * 4096 different possible passwords...? Right, but most people don't do this. It's usually a word or some simple permutation of a word. Crack tries the with different cases, backwards, "1" instead of "i", "0" instead of "o", etc. If a password were a random sequence of characters, they would be nearly unbreakable, but then people would have to write them down somewhere and that is an even bigger security risk in many ways. Brian ( [EMAIL PROTECTED] ) --- In theory, theory and practice are the same. In practice, they're not.
Re: Isn't it a security hole...
As Joshua Stockwell wrote: > >>> On Aug 14, 2:35pm, Bruce Perens wrote: > >>> : Ahem. Let's not use the word "hacker" to mean > >>> : "computer criminal" on this list. "cracker" is more > >>> : appropriate. > >>> >-- End of excerpt from Bruce Perens > > > Christopher R. Hertel wrote: > >>> Seconded. The term "hacker" originally referred to one > >>> who would "hack" at [working] code to make it better, > >>> faster, cleaner, more fun, etc. The term has been badly > >>> misused in recent years, and for some has taken on a > >>> new meaning. Given the true meaning of the term, most > >>> of the people on this list could be called "hacker". > To be quite honest, I think it has two meanings now. And it > is nothing very recent, "hacker" has been used to label > computer criminals at least for the last 12 years. Like many > other english words, you just have to keep in mind under > what context it is being used and apply the most appropriate > definition. I personally would never want to be called a > hacker, because it has a third definition for me -- someone > who spends way too much time on their computer :) Actually, all the above meanings are Johnny-come-latelies. The original meanings (there are several nuances) derive from hack (n.), a contraction of hackney, which means a horse used in common work. Leading into meaning a carriage for hire, operated by a hacker, this is also applied to motorized taxicab operators (I know, I was one before I discovered computers). Thus, through personal experience, I can attest that the other nuances -- hired out, trite or commonplace, make common by overuse, someone hired to do monotonous mindless drugery, a lackey -- all these meanings come from that taken-for-granted nag. So it was with great surprise that, over twenty years ago, I encountered the new meaning of hacker, which is truely at variance with the established conotation of the word. I say this new meaning should be given completely to the crackers, especially since, thanks to the media, society has already done so, as Joshua has pointed out. Thus, I propose a new word be adopted to describe the clever and benign inventor of quick technical fixes. Rasher, from "Shockwave Rider" usage, is a possible candidate, except Brunner's rashers seemed to operate too much outside the boundaries of ethics, delving into industrial espionage and even sabotage, as I recall. Ideas, anyone?
Re: Isn't it a security hole...
>>Perhaps a bit, but not too much. The passwords in /etc/passwd are encrypted >>through one-way DES encryption. It's much easier to simply guess users' >>passwords, the majority of which are first-names or first-names followed >>by a number. >> >Actually, cracking a unix passwd file is quite easy, even for those >with minimal computer knowledge. With widely available programs like Crack >(UNIX), Crakerjack (DOS), and root_crack(DOS) anybody with a CPU >386 can >crack the DES encryption with a bit of time. My understanding of this situation (and please correct me if I'm wrong) is that the crypt() routine used by passwd is a truly one-way hashing algorithm, i.e. there simply is no way to go from an encrypted password back to the original. Actually, I seem to remember reading that the crypt routine uses the password in combination with a "random" (based on time of day) string of bits (called the "salt", can't remember the length, I think it was 12 bits, giving 4096 possible encryptions of any given string), and that it uses this new salt+password as its key in encrypting a string of 0's. Given this, the only way to crack the passwords is to compile a dictionary of possible passwords, by taking all the likely strings to be used as passwords and encrypting each one 4096 times, once for each salt. Once you have this dictionary made, it can be distributed to anyone to use as the foundation of their crack attack, but if you wish to hack someone personally, i.e. by checking their first name, etc., you'll have to add these to the dictionary (unless common names are also part of the original dictionary). And it should be plain how anyone with reasonable password-selection skills can be pretty much immune to this attack, e.g. by using non-word strings, by having punctuation, by varying the case of your characters, etc. If the max passwd length is 8 bytes, then at a quick estimate it seems that there are 256^8 * 4096 different possible passwords...? I think this is a fascinating subject, I hope I haven't gotten it too wrong. Please reply with corrections. Thanks, Steve
Re: Isn't it a security hole...
>>> On Aug 14, 2:35pm, Bruce Perens wrote: >>> : Ahem. Let's not use the word "hacker" to mean "computer criminal" on >>> : this list. "cracker" is more appropriate. >>> >-- End of excerpt from Bruce Perens Christopher R. Hertel wrote: >>> Seconded. The term "hacker" originally referred to one who would >>> "hack" at [working] code to make it better, faster, cleaner, more fun, >>> etc. The term has been badly misused in recent years, and for some has >>> taken on a new meaning. Given the true meaning of the term, most of >>> the people on this list could be called "hacker". To be quite honest, I think it has two meanings now. And it is nothing very recent, "hacker" has been used to label computer criminals at least for the last 12 years. Like many other english words, you just have to keep in mind under what context it is being used and apply the most appropriate definition. I personally would never want to be called a hacker, because it has a third definition for me -- someone who spends way too much time on their computer :) -Josh Stockwell
RE: Isn't it a security hole...
Quite true, but by all accounts crackers dislike the name. You won't succeed without a majority adopting the new term, and I'm afraid that involves the cooperation of the culprits themselves. Otherwise, I'm sure this long-running debate would have concluded long ago. I think we should just accept that we're stuck with the double meaning. As with other ambiguous words, the context usually points to the true meaning. Casper Boden-Cummins. >-- >From: Christopher R. Hertel[SMTP:[EMAIL PROTECTED] >Sent: 15 August 1996 15:10 >To:debian-user@lists.debian.org >Cc:The recipient's address is unknown. >Subject: Re: Isn't it a security hole... > >On Aug 14, 2:35pm, Bruce Perens wrote: >: Ahem. Let's not use the word "hacker" to mean "computer criminal" on >: this list. "cracker" is more appropriate. >>-- End of excerpt from Bruce Perens > >Seconded. The term "hacker" originally referred to one who would >"hack" at [working] code to make it better, faster, cleaner, more fun, >etc. The term has been badly misused in recent years, and for some has >taken on a new meaning. Given the true meaning of the term, most of >the people on this list could be called "hacker". > >Chris -)- > >-- >Christopher R. Hertel -)- University of Minnesota >[EMAIL PROTECTED] Networking and Telecommunications Services > >
Re: Isn't it a security hole...
On Aug 14, 2:35pm, Bruce Perens wrote: : Ahem. Let's not use the word "hacker" to mean "computer criminal" on : this list. "cracker" is more appropriate. >-- End of excerpt from Bruce Perens Seconded. The term "hacker" originally referred to one who would "hack" at [working] code to make it better, faster, cleaner, more fun, etc. The term has been badly misused in recent years, and for some has taken on a new meaning. Given the true meaning of the term, most of the people on this list could be called "hacker". Chris -)- -- Christopher R. Hertel -)- University of Minnesota [EMAIL PROTECTED] Networking and Telecommunications Services
RE: Isn't it a security hole...
Guy Maor wrote: >> Truly cracking a passwd file would take more than "a bit of time". Or >> Maybe you're an extremely patient person. It may take a while in general, but poor maintenance and naive password choice often leads to surprising results - besides, the increase in low-cost high-power CPUs are narrowing the gap. The following excerpt from 'How to improve the security of your site by breaking into it' by Dan Farmer and Wietse Venema illustrates this point: ---begin quote--- After receiving mail from a site that had been broken into from one of our systems, an investigation was started. In time, we found that the intruder was working from a list of ".com" (commercial) sites, looking for hosts with easy-to steal password files. In this case, "easy-to-steal" referred to sites with a guessable NIS domainname and an accessible NIS server. Not knowing how far the intruder had gotten, it looked like a good idea to warn the sites that were in fact vulnerable to password file theft. Of the 656 hosts in the intruder's hit list, 24 had easy-to-steal password files -- about one in twenty-five hosts! One third of these files contained at least one password-less account with an interactive shell. With a grand total of 1594 password-file entries, a ten-minute run of a publically-available password cracker (Crack) revealed more than 50 passwords, using nothing but a low-end Sun workstation. Another 40 passwords were found within the next 20 minutes; and a root password was found in just over an hour. The result after a few days of cracking: five root passwords found, 19 out of 24 password files (eighty percent) with at least one known password, and 259 of 1594 (one in six) passwords guessed. ---end quote- >Casper Boden-Cummins.
Re: Isn't it a security hole...
On Wed, 14 Aug 1996, Gilbert Ramirez Jr. wrote: > Actually, cracking a unix passwd file is quite easy, even for those > with minimal computer knowledge. With widely available programs like Crack > (UNIX), Crakerjack (DOS), and root_crack(DOS) anybody with a CPU >386 can > crack the DES encryption with a bit of time. Those programs you mention crack accounts file by guessing the actual password, encrypting that with all the salts, and matching it to the encrypted password. Guesses of the password include permutations of the user name, gecos, and a dictionary. Unfortunately such attacks often work. Truly cracking a passwd file would take more than "a bit of time". Or maybe you're an extremely patient person. Guy
Re: Isn't it a security hole...
Hi Matt! From: Matthew Bailey <[EMAIL PROTECTED]> > One of the first things to remember is to use an Alpha numeric and special > character password for root that usually fixes 99.99% of all hackers from > gaining root access. Ahem. Let's not use the word "hacker" to mean "computer criminal" on this list. "cracker" is more appropriate. Thanks Bruce -- Clinton isn't perfect, but I like him a lot more than Dole. Please register to vote, and vote for Democrats. Bruce Perens AB6YM [EMAIL PROTECTED]http://www.hams.com/
Re: Isn't it a security hole...
>As Jerzy Kakol said: >> >> >> ...the attribute readable for others in case of the file /etc/passwd? > >Perhaps a bit, but not too much. The passwords in /etc/passwd are encrypted >through one-way DES encryption. It's much easier to simply guess users' >passwords, the majority of which are first-names or first-names followed >by a number. > >> >> TIA. >> >> Jerzy Kakol >> >--gilbert >__ >Gilbert Ramirez Jr. [EMAIL PROTECTED] >University of Texas http://merece.uthscsa.edu/gram >Health Science Center at San AntonioUniversity Health System > Actually, cracking a unix passwd file is quite easy, even for those with minimal computer knowledge. With widely available programs like Crack (UNIX), Crakerjack (DOS), and root_crack(DOS) anybody with a CPU >386 can crack the DES encryption with a bit of time. Mike...
Re: Isn't it a security hole...
Yes, it is in project/experimental on the FTP server. We'll put it in 1.2 . Bruce -- Clinton isn't perfect, but I like him a lot more than Dole. Please register to vote, and vote for Democrats. Bruce Perens AB6YM [EMAIL PROTECTED]http://www.hams.com/
Re: Isn't it a security hole...
At 05:01 PM 8/14/96 +0200, you wrote: > >...the attribute readable for others in case of the file /etc/passwd? > >Recently my debian system was cracked by several pirates. They have >account name and the password widely broadcasted on an IRC channel. The >only way, as I guess, they grabed root's privilages was free access to >/etc/passwd. >Is there a free and debianized shadow-password package? Make sure you take good steps to ensure your security - for example, when a user changes passwords on my network it wont let them change it to a dictionary word, must have uppercase letters, and at least 1 numeral in it. (that's the way I installed Debian 1.1 anyway - by default it does this I think as long as you install a dictionary). There certainly is a debian shadow password package... Check the project/experimental directory - be forewarned though, it's exactly that -- experimental :-) I however have run it fine and it does seem to work (though I'm not using it now because I reformatted). ...Karl -- Karl Ferguson, Tower Networking Pty Ltd (ACN: 072 322 760)[EMAIL PROTECTED] t/a STAR Online Services [EMAIL PROTECTED] Tel: +61-9-455-3446 Fax: +61-9-455-2776 http://www.star.net.au/
Re: Isn't it a security hole...
On Wed, 14 Aug 1996, Jerzy Kakol wrote: > > ...the attribute readable for others in case of the file /etc/passwd? > > Recently my debian system was cracked by several pirates. They have > account name and the password widely broadcasted on an IRC channel. The > only way, as I guess, they grabed root's privilages was free access to > /etc/passwd. > Is there a free and debianized shadow-password package? > One of the first things to remember is to use an Alpha numeric and special character password for root that usually fixes 99.99% of all hackers from gaining root access. We use NIS and our users are able to read the password entries for everyone however we tell users this and tell them how to create a secure password. :) Matt Sorry to be sarcastic but I can be that way at times :)
Re: Isn't it a security hole...
On Wed, 14 Aug 1996, Jerzy Kakol wrote: > > ...the attribute readable for others in case of the file /etc/passwd? > > Recently my debian system was cracked by several pirates. They have > account name and the password widely broadcasted on an IRC channel. The > only way, as I guess, they grabed root's privilages was free access to > /etc/passwd. > Is there a free and debianized shadow-password package? > > TIA. > > Jerzy Kakol I know there is a shadow password system for linux and there may in fact be a .deb for that package. These are typical permissions for /etc/passwd: -rw-r--r--1 root sys 1309 Jun 25 15:05 /etc/passwd That's right, readable by all. The protection in the original passwd mechanism doesn't come from hiding the cipher text, that field is the result of a one-way hash and cannot be effectively decrypted. (In fact the one-way hash makes it impossible for the "rubber hose cryptanalyt" to beat the passwords out of you or another sys admin.) If your passwords are good even if an attacker gets your /etc/passwd they won't find anything by craking it (dictionary attack). You may want to have passwords checked before they are hashed into /etc/passwd using anlpasswd or the like with the biggest baddest dictionary files you can find. The anlpasswd program replaces passwd or yppasswd, though this isn't obvious to your users. If your system has been compromised, or is likely to be, you will probably want to restore it from a known good backup (or, better yet, reinstall) and run Tripwire (or a similar tool) to be sure of integrity in the future. Even if you fixed the root password you probably have no idea what else the intuders may have done to keep a back door open. _ Don Gaffney (http://www.emba.uvm.edu/~gaffney) Engineering, Mathematics & Business Administration Computer Facility University of Vermont - 237 Votey Building - Burlington, VT 05405 (802) 656-8490 - Fax: (802) 656-8802
Re: Isn't it a security hole...
As Jerzy Kakol said: > > > ...the attribute readable for others in case of the file /etc/passwd? Perhaps a bit, but not too much. The passwords in /etc/passwd are encrypted through one-way DES encryption. It's much easier to simply guess users' passwords, the majority of which are first-names or first-names followed by a number. > > TIA. > > Jerzy Kakol > --gilbert __ Gilbert Ramirez Jr. [EMAIL PROTECTED] University of Texas http://merece.uthscsa.edu/gram Health Science Center at San AntonioUniversity Health System