Re: Password checking
"Paul Pomes, UofIllinois" <paul@uxc.cso.uiuc.edu> Wed, 04 April 1990 21:01 UTC
Received: from uxc.cso.uiuc.edu by cert.sei.cmu.edu (5.61/2.2) id AA22220; Wed, 4 Apr 90 17:01:46 -0400
Received: by uxc.cso.uiuc.edu with SMTP (5.61+/IDA-1.2.8) id AA03576; Wed, 4 Apr 90 16:00:53 -0500
Reply-To: Paul-Pomes@uiuc.edu
To: art@dinorah.wustl.edu
Cc: ssphwg@cert.sei.cmu.edu
Subject: Re: Password checking
In-Reply-To: Your message of Wed, 04 Apr 90 15:13:42 CDT. <9004042013.AA04393@dinorah.wustl.edu>
Date: Wed, 04 Apr 1990 16:00:50 -0500
Message-Id: <3572.639262850@uxc.cso.uiuc.edu>
From: "Paul Pomes, UofIllinois" <paul@uxc.cso.uiuc.edu>
It's far better to prevent weak passwords in the first place. I have a fairly useful password cracker (pwc.c) program that's run as needed on workstations, however it uses a lot of resources when given the dictionary as a key source. Many of the same checks put into pwc.c are far more effective when used in passwd.c to disallow the choice of a poor password. Over time I've gathered some interesting numbers about password habits. Given a password file from a departmental machine with about 300 accounts, 3-5% of the accounts can be cracked within 20 minutes just by checking for the login name repeated as the password, spelled backwards, doubled (for short names), and also all tokens in the GECOS field. Each check is tried four ways: as is, all lower case, all upper case, leading capital. Another 12% can be obtained by throwing in /usr/dict/words. The latter requires the use of Baldwin's fast DES code. The new version of passwd.c is being beta-tested in house and will be submitted to both Berkeley and the cert-tools list once it has been torture tested by the undergrads. If there's sufficient interest, I'll make both the pwc.c and passwd.c programs available for anon-FTP at that time. /pbp
- Password checking art
- Re: Password checking Paul Pomes, UofIllinois
- Re: Password checking Fuat C. Baran
- Re: Password checking Ken Leonard
- Re: Password checking Philippe Prindeville