Re: Unix links subverting Web security

• To: mogens@mjosa.stanford.edu (Christian Mogensen)
• Subject: Re: Unix links subverting Web security
• From: "Gintaras Richard Gircys (GG148)" <Rich.Gircys@empac.com>
• Date: Thu, 26 Oct 1995 17:37:06 -0700
• cc: www-security@ns2.rutgers.edu
• In-reply-to: Message from Thu, 26 Oct 1995 13:23:05 -0800. <9510262023.AA29968@Mjosa.Stanford.edu>

> Basically, crypt() is pretty much open to all-out attack because the
> password is only 8 characters long.  Crypt is safe, but the way it is
> implemented on unix passwords is so weak as to make dictionary attacks
> easy.  
> 
there's a number of bsd os'es available that implement and support passwd
greater than 8 chars.

> There are many variations on this - the 8 character limit on passwords
> is a big hole.
> 
the big hole is not the 8 char limit - the big hole is poor passwords. there's
only one type of password that is acceptable today: random gibberish (mean
gibberish - nothing phonetic even) created by a RNG seeded by a non 
deterministic source (some good ones available). a really random 8 char
passwd will make brute force attack not much fun. now do this with 12 char
passwd and things start looking good.

have fun,

rich

• Re: Unix links subverting Web security
• From: mogens@Mjosa.Stanford.edu (Christian Mogensen)

• Previous: Re: Unix links subverting Web security
• Next: Re: Unix links subverting Web security
• Index(es):
  • Index
  • Thread