/etc/passwd

Bruce Dubbs bdubbs at swbell.net
Thu Jan 17 08:47:42 PST 2002


Richard Lightman wrote:
> * Bruce Dubbs <bdubbs at swbell.net> [020117 11:35]:
> 
>>Fabio Fracassi wrote:
>>
>>>And also remember that brute-force 
>>>benefits linearly from paralel Prossesing, so with a small net It gets even 
>>>faster.
>>>
>>And the time to crack goes up exponentially with length of password.
>>
> 
> If a cracker had to find the exact password, that would be true.
> For unix passwords, crackers only need to find a password with
> the same digest. If your password is longer than the digest,
> you can be confident that a shorter password with the same digest
> exists.

Let's see.  My shadow digests are 13 characters long.  There are over 90 
characters possible for each position for about 1.5 x 2^20 possible 
(1.5B) combinations.  Its possible for two passWORDS/PHRASES to generate 
the same digest, but unlikely.  Of course in a brute force attack, 
someone can get lucky and guess the PW on the first try, but the odds of 
winning the lottery are about a 1000 times better.

This brings up an interesting point.  How long does it take to try one 
password?  If you were cracking passwords a lot, you could just generate 
all combinations up to a certain length on a large hard disk and do a 
binary search on the digest and get any of those PWs in less than a second.

This is my last post in lfs.dev.  Please move to lfs.security.

   -- Bruce

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list