============================================================================== Phile 1.2 of 1.14 Fundamentals of UNIX passwords ------------------------------ By: Mr. Slippery I will answer the following questions: What are good passwords? What are bad passwords? Why does UNIX system V require 6 character passwords with funny characters? How long would it take to break ANY 6 character password. In 1981, Rober Morris and Ken Thompson wrote up their findings about passwords. The document is called "Password Security - A Case History" and is present in the documentation for some versions of UNIX. They did a survey of various systems ands found that out of 3,289 passwords 15 were a single character, 72 were 2 characters long, 464 were 3 chars, 477 where 4 alphanumeric, 706 were 5 letters, 605 were 6 letters, all lower case and 492 appeared in various dictionaries. 86% of the passwords were thus easily breakable if you have a password hacker and access to the password file. This is why UNIX V requires a minimum 6 characters some of which must not be letters. The article also said that some "good" things to try are dictionary entries with the words spelled backwards, list of first names, last names, street names, city names, (try with an inital upper case letter as well), valid license plate numbers in your state, room numbers, telephone numbers and the like. Some others have suggested that people use woman's names (with a trailing digit), their logins repeated or massaged (login abc, password abcabc, cbacba), anything in the "GECOS" (comment) field of the password file and anything significant that you know about the person (their kid's name). But what about trying every possible password? How long would it take? The article had some numbers based on a PDP 11/70. It showed that 6 character passwords were too hard to break by exhaustive search if someone was forced to use more than just letters and numbers. Using all 95 printable characters, it would take a PDP 11/70 about 33 years to try all of them. BUT TIMES ARE CHANGING. One fine weekend I tried the same experiement with a modern 25MHz computer. From 33 years its down to 6 months. If you have access to a mainframe or cray, it could be a matter of days or weeks to break a password. Of course, this is not something that would go unnoticed. Using up all the resources of a CRAY would show up but over a long weekend, who knows? If people are paying attention to the system activity (sar) they will notice that you've used up all the system resources and start asking potentially embarresing questions. If you have a bunch of friends to help and divide up the job, it could be a lot faster. Naturally though, it has to be worth your time and effort. Someone running Xenix or MINIX on a PC is hardly worth the effort. And if the person was using 7 or 8 character passwords it would take just too long. If you examine the password encryptation method that UNIX uses, you will notice that a 'salt' is used. This can have 4K (4,096 for the uninitiated) values so generating every possible password IN ADVANCE would take 4K times whatever the time required so its not worth the attempt either. How long will the 'door' be open? This fact that people are getting better and better at guessing passwords in not lost on all concerned. AT&T has put something called "password shadowing" in their latest release (V.3.2). Basically what they did is to make the password file unreadable by anyone but root. This stops people from taking the password file to another machine and working on it at leasure. SUN and IBM are doing similar things (hang around USENIX/Uniforum when the shows come to your town to see what they are up to). Well, what is this all leading up to? Are people going to give up their hobby? Just between you and me, I kind of doubt it. Password 'shadowing' is optional, after all. People will still choose bad passwords or even no passwords. Many people will not load the lastest operating systems. On the other hand, its not only UNIX systems that people choose bad passwords for. I assume that I could break many hackers and phreaks passwords on various boards but that would be unfriendly and get me into trouble, so I won't try :-) (for the novice, this is a smiley face and means that I'm joking :-( is a frown). Those out there who are sysops might want to see what people choose for passwords since I assume we're almost as lazy as other people. Me, I don't use anything that you could guess except on one board that had trouble with a special characters! Writing a password cracker: On UNIX, at least, this is simple assuming you have access to the 'domestic' version. The 'international' version has the crypt function deleted. I don't know why they bothered since all the KGB has to do is visit any one of 10,000 sites with UNIX source code but I guess the government likes to play "lets pretend". By the way, in case you are waiting for a nice cheap FAST DES chip to come out, the UNIX people did not exactly use DES. They diddled it a bit to stop hardware from making the job too fast. I assume that the principles I've talked about here apply to other operating systems. Some are a LOT easier. The earlier versions of the Pick operating system did not even encrypt the passwords. All you had to do was to 'dump' the right 'frame' of disk to see them! I think that some of the mainframe packages such as RACF or ACF2 don't encrypt but I'm not 100% sure. A final thought: one thing to look for in general are assumptions made a number of years ago that people have not reexamined. Exhaustive searches of 6 character passwords is just one example. I'm sure there are others. DOWNLOADED FROM P-80 SYSTEMS 304-744-2253 Downloaded From P-80 International Information Systems 304-744-2253 12yrs+