/etc/passwd

Don Smith midio at att.net
Thu Jan 17 11:12:46 PST 2002


I think (though it has been a long time since I took statistics) that
the total number of combinations is 90^13 which works out to 2.54x10^25
combinations. And remember each combination is 13 bytes long for a total
of 3.3 x 10^26 bytes (with *no* string delimiters). That's enough to
fill up 10 quadrillion 32 GB disks. At ~ $100 a pop, can you say a
quintillion dollars?

Note: those are American numbers not British.

--
Don
LFS# 734


"Bruce Dubbs" <bdubbs at swbell.net> wrote in message
news:3C47096E.4050209 at swbell.net...
> Matthias Benkmann wrote:
> > On 17 Jan 2002, at 10:47, Bruce Dubbs wrote:
> >
> >
> >>password?  If you were cracking passwords a lot, you could just
generate
> >>all combinations up to a certain length on a large hard disk and do
a
> >>binary search on the digest and get any of those PWs in less than a
second.
> >>
> >
> > To prevent this, a so-called salt is used. You do not only encrypt
the
> > password, you first concatenate it with a (pseudo-)random salt
string that
> > is saved together with the encrypted string. In order for the above
scheme
> > to work you will have to generate encryptions of all passwords
combined
> > with all salt strings. That increases the number of data extremely.
The
> > amount of storage needed is (still) too expensive to be used
exclusively
> > for cracking, especially since all sites worth cracking use shadow
> > passwords so that you don't get the password file.
>
> This is true over the net with such programs as ssh in negotiating
> session passwords, but is it also true with a console logon?  I don't
> see how the system would know what salt to apply--it would have to be
> saved someplace.
>    -- Bruce
>


-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list