Re: Password checking

"Paul Pomes, UofIllinois" <paul@uxc.cso.uiuc.edu> Wed, 04 April 1990 21:01 UTC

Received: from uxc.cso.uiuc.edu by cert.sei.cmu.edu (5.61/2.2) id AA22220; Wed, 4 Apr 90 17:01:46 -0400
Received: by uxc.cso.uiuc.edu with SMTP (5.61+/IDA-1.2.8) id AA03576; Wed, 4 Apr 90 16:00:53 -0500
Reply-To: Paul-Pomes@uiuc.edu
To: art@dinorah.wustl.edu
Cc: ssphwg@cert.sei.cmu.edu
Subject: Re: Password checking
In-Reply-To: Your message of Wed, 04 Apr 90 15:13:42 CDT. <9004042013.AA04393@dinorah.wustl.edu>
Date: Wed, 04 Apr 90 16:00:50 CDT
Message-Id: <3572.639262850@uxc.cso.uiuc.edu>
From: "Paul Pomes, UofIllinois" <paul@uxc.cso.uiuc.edu>

It's far better to prevent weak passwords in the first place.  I have a
fairly useful password cracker (pwc.c) program that's run as needed
on workstations, however it uses a lot of resources when given the
dictionary as a key source.  Many of the same checks put into pwc.c
are far more effective when used in passwd.c to disallow the choice
of a poor password.

Over time I've gathered some interesting numbers about password habits.
Given a password file from a departmental machine with about 300 accounts,
3-5% of the accounts can be cracked within 20 minutes just by checking
for the login name repeated as the password, spelled backwards, doubled
(for short names), and also all tokens in the GECOS field.  Each check
is tried four ways: as is, all lower case, all upper case, leading capital.
Another 12% can be obtained by throwing in /usr/dict/words.  The latter
requires the use of Baldwin's fast DES code.

The new version of passwd.c is being beta-tested in house and will be
submitted to both Berkeley and the cert-tools list once it has been torture
tested by the undergrads.  If there's sufficient interest, I'll make
both the pwc.c and passwd.c programs available for anon-FTP at that
time.

/pbp