jsmaby at virgo.umeche.maine.edu jsmaby at virgo.umeche.maine.edu
Thu Jan 17 10:44:17 PST 2002

> Let's see.  My shadow digests are 13 characters long.  There are over 90 
> characters possible for each position for about 1.5 x 2^20 possible 
> (1.5B) combinations.  Its possible for two passWORDS/PHRASES to generate 
> the same digest, but unlikely.  Of course in a brute force attack, 
> someone can get lucky and guess the PW on the first try, but the odds of 
> winning the lottery are about a 1000 times better.

LFS as currently set up only uses the first 8 characters of a password.
I discovered this while mistyping the ninth character of one of my
passwords and still getting in.

Thus, for a brute force attack, one only needs to check 8 character
strings.  By making smart guesses (like mostly lower case, and vowels
being more common, based off of dictionary words), a password cracker
will do a pretty good job.  If you got your password from /dev/urandom,
then there are still 94^8 possibilities.  My system can crack 100,000
passwords per second (well, that's what Jack the Ripper says).  So
a little dimensional analysis:

94^8 pw / (100000 pw/s * 3600 s/hr * 24 hr/day * 365 day/yr) = 1933 years

If it's only a 7 character password, I only need 20 years.

If the password only contains lower case letters, it'll only take a month.

If it's 7 lower case letters, a day.

Now I'll admit that memorizing something like "X*k<U]8b" isn't quite as
easy as "StarWars" or "blUbeRy5", so most users (and sysadmins) use
easily crackable passwords.  So while in principle, one could leave
thier passwd file unshadowed with out worry, in practice lots of people
will get burned by it.

Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list