jyork at lmasys.com
Thu Jan 24 19:18:54 PST 2002
On Thu, 17 Jan 2002 13:47:39 -0500, jsmaby wrote:
>> Let's see. My shadow digests are 13 characters long. There are over
>> 90 characters possible for each position for about 1.5 x 2^20 possible
>> (1.5B) combinations. Its possible for two passWORDS/PHRASES to
>> generate the same digest, but unlikely. Of course in a brute force
>> attack, someone can get lucky and guess the PW on the first try, but
>> the odds of winning the lottery are about a 1000 times better.
> LFS as currently set up only uses the first 8 characters of a password.
> I discovered this while mistyping the ninth character of one of my
> passwords and still getting in.
> Thus, for a brute force attack, one only needs to check 8 character
> strings. By making smart guesses (like mostly lower case, and vowels
> being more common, based off of dictionary words), a password cracker
> will do a pretty good job. If you got your password from /dev/urandom,
> then there are still 94^8 possibilities. My system can crack 100,000
> passwords per second (well, that's what Jack the Ripper says). So a
> little dimensional analysis:
> 94^8 pw / (100000 pw/s * 3600 s/hr * 24 hr/day * 365 day/yr) = 1933
> If it's only a 7 character password, I only need 20 years.
> If the password only contains lower case letters, it'll only take a
> If it's 7 lower case letters, a day.
> Now I'll admit that memorizing something like "X*k<U]8b" isn't quite as
> easy as "StarWars" or "blUbeRy5", so most users (and sysadmins) use
> easily crackable passwords. So while in principle, one could leave
> thier passwd file unshadowed with out worry, in practice lots of people
> will get burned by it.
You can fix this by editing your /etc/login.defs file
this should allow you have passwords of unlimited chars i believe
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message
More information about the lfs-security