----- Original Message -----
From: Yoni Elhanani <[EMAIL PROTECTED]>
To: Linux-Il Mailing List <[EMAIL PROTECTED]>
Sent: Wednesday, March 31, 1999 11:35 PM
Subject: [newbie] Shasow passwords on rhl5.2
> another question is,
> should i bother?
Yes! You should! When UNIX passwords were first used, the fastest cray had
less CPU power than a Pentium 200. Cracking the /etc/passwd using a "smart"
cracking program (i.e. one that can run on multiple computers, one that uses
dictionary word combination, etc) is easy, fast and very-very simple.
Any cracker wannabe will immediately take your /etc/passwd file and run a
cracker on it on his home PC. From my experience, passwords that are made of
dictionary words are cracked within 48 hours (unfortunately most people use
those) a brute force attack using lowercase letters only will take not more
than a few days. If this cracker uses the 20 PCs on his school LAN (for
example, on Pesach vacation, when they're not used anyway) he will reduce
password breaking time by a factor of 10-20 (using 10-20 computers).
The days when experts said "There is not enough energy in the world to
create the computer who could try all the combinations, yada yada yada, and
therefore it's unbreakable" are long-long gone.
Why RH chose not to shadow passwords by default is beyond my knowledge
(though I think someone told me RH6.0 will let you choose to shadow them
during the installation - I'm not sure).
In short - shadow your passwords. Today.
-------------------------
Aviram Jenik
"Addicted to Chaos"
-------------------------
Today's quote:
What a waste it is to lose one's mind or not to have a mind.
How true it is.
- J. Danforth Quayle, addressing the United Negro
College Fund, quoted in "Time", 26 June 1989
