On Sun, 17 Nov 1996, Dave Kinchlea wrote:
On Sun, 17 Nov 1996, The Deviant wrote:
On Sun, 17 Nov 1996, Adam Shostack wrote:
A longer salt would make running crack against a large password file slower.
While thats all well and good, it shouldn't be necisary. If passwords are shadowed, one must have root access before one can run crack against the password list, at which time it is innefective.
I couldn't disagree more (not that I necessarily agree or disagree with Adam's approach). Sure, once you have root you don't need any other access, until the hole is found and closed that gave root in the first place. After that, that /etc/shadow file with the lousy passwords (that seem inevitable with folks using /etc/shadow as they get complacent with a false sense of security) provide the would-be cracker with a set of local accounts to (try to) break in again. Local accounts are definitely an advantage should you be looking for way to break any Unix variant.
The moral of the story is: ALWAYS ensure that whatever passwords you have on your unix system are not beatable by crack, don't rely upon hiding them because if you are wrong you are in it up to your neck!
cheers, kinch
Oh.. you misunderstand what I'm saying... I'm not saying its unemportant for you to have good passwords or anything like that, I'm just pointing out that rather than replace the entire system, its more prudent to fully install it. I still think admins should run crack against their own lists, etc., but that still shouldn't be a problem to a good cracker. If you've just gotten root on a system, you start backdooring everything, not trying to crack the password list. --Deviant Even God cannot change the past. -- Joseph Stalin