Fundamentals of UNIX passwords

                    ------------------------------

                          By: Mr. Slippery





I will answer the following questions:



What are good passwords? What are bad passwords? Why does UNIX

system V require 6 character passwords with funny characters?

How long would it take to break ANY 6 character password.



In 1981, Rober Morris and Ken Thompson wrote up their findings about

passwords. The document is called "Password Security - A Case History"

and is present in the documentation for some versions of UNIX.



They did a survey of various systems ands found that out of 3,289

passwords 15 were a single character, 72 were 2 characters long,

464 were 3 chars, 477 where 4 alphanumeric, 706 were 5 letters,

605 were 6 letters, all lower case and 492 appeared in various

dictionaries. 86% of the passwords were thus easily breakable if

you have a password hacker and access to the password file. This

is why UNIX V requires a minimum 6 characters some of which must

not be letters.





The article also said that some "good" things to try are dictionary

entries with the words spelled backwards, list of first names, last

names, street names, city names, (try with an inital upper case

letter as well), valid license plate numbers in your state, room

numbers, telephone numbers and the like.



Some others have suggested that people use woman's names (with a

trailing digit), their logins repeated or massaged (login abc,

password abcabc, cbacba), anything in the "GECOS" (comment) field of

the password file and anything significant that you know about the

person (their kid's name).



But what about trying every possible password? How long would it take?

The article had some numbers based on a PDP 11/70. It showed that 6

character passwords were too hard to break by exhaustive search if

someone was forced to use more than just letters and numbers. Using

all 95 printable characters, it would take a PDP 11/70 about 33 years

to try all of them. BUT TIMES ARE CHANGING. One fine weekend I tried

the same experiement with a modern 25MHz computer. From 33 years its

down to 6 months. If you have access to a mainframe or cray, it could

be a matter of days or weeks to break a password.



Of course, this is not something that would go unnoticed. Using up all

the resources of a CRAY would show up but over a long weekend, who

knows? If people are paying attention to the system activity (sar)

they will notice that you've used up all the system resources and

start asking potentially embarresing questions.



If you have a bunch of friends to help and divide up the job,

it could be a lot faster. Naturally though, it has to be worth your

time and effort. Someone running Xenix or MINIX on a PC is hardly

worth the effort.



And if the person was using 7 or 8 character passwords it would take

just too long.



If you examine the password encryptation method that UNIX uses, you

will notice that a 'salt' is used. This can have 4K (4,096 for the

uninitiated) values so generating every possible password IN ADVANCE

would take 4K times whatever the time required so its not worth the

attempt either.



How long will the 'door' be open? This fact that people are getting

better and better at guessing passwords in not lost on all concerned.

AT&T has put something called "password shadowing" in their latest

release (V.3.2). Basically what they did is to make the password file

unreadable by anyone but root. This stops people from taking the

password file to another machine and working on it at leasure. SUN and

IBM are doing similar things (hang around USENIX/Uniforum when the

shows come to your town to see what they are up to).



Well, what is this all leading up to? Are people going to give up

their hobby? Just between you and me, I kind of doubt it. Password

'shadowing' is optional, after all. People will still choose bad

passwords or even no passwords. Many people will not load the lastest

operating systems.



On the other hand, its not only UNIX systems that people choose bad

passwords for. I assume that I could break many hackers and phreaks

passwords on various boards but that would be unfriendly and get me

into trouble, so I won't try :-) (for the novice, this is a smiley

face and means that I'm joking :-( is a frown). Those out there who

are sysops might want to see what people choose for passwords since

I assume we're almost as lazy as other people. Me, I don't use

anything that you could guess except on one board that had trouble

with a special characters!



Writing a password cracker: On UNIX, at least, this is simple assuming

you have access to the 'domestic' version. The 'international' version

has the crypt function deleted. I don't know why they bothered since

all the KGB has to do is visit any one of 10,000 sites with UNIX

source code but I guess the government likes to play "lets pretend".



By the way, in case you are waiting for a nice cheap FAST DES chip to

come out, the UNIX people did not exactly use DES. They diddled it a

bit to stop hardware from making the job too fast.



I assume that the principles I've talked about here apply to other

operating systems. Some are a LOT easier. The earlier versions of the

Pick operating system did not even encrypt the passwords. All you had

to do was to 'dump' the right 'frame' of disk to see them! I think

that some of the mainframe packages such as RACF or ACF2 don't encrypt

but I'm not 100% sure.



A final thought: one thing to look for in general are assumptions made

a number of years ago that people have not reexamined. Exhaustive

searches of 6 character passwords is just one example. I'm sure there

are others.



    This is one of MANY Great MYSTERY Notes at:





                 The Mystery Zone

                  (312) 231-6193