Re: Not so much a bug as a warning of new brute force attack

[bdavids1 () transformers labs gmu edu (Brian Davidson)]

On Tue, 4 Jun 1996, Alan Brown wrote:

> I think this one comes under the heading of "brute force attack" - just
> with alphanumerics (a-z,A-Z,0-9) you're looking at needing 62^8 entries
> for a complete set of 8 character passwords. It's probably faster to try
> and decrypt the passwd file entry directly.

It's the same thing.  The encryption used it 1 way.  Cracking programs
encrypt the words in the dictionary and compare them to what's in the
password file.  In some ways going through pop is better.  If the
SysAdmin changed the encryption routine (say, made it encrypt the
passwords 26 times instead of 25 times).

Against a single user account, crack would probably run faster (assuming
you could get the password file), since you wouldn't be going across a
network.

Against multiple accounts, crack has to encrypt each word in the
dictionary with multiple salts (4096, put there to slow down such attacks).
I beieve (but could be wrong) that an attack against pop would be
faster.  You can spawn multiple processes, all filling up all the
available bandwith, and trying to get in.  You don't have to encrypt each
dictionary word even once, let alone 4096 times.

Even if I'm wrong, and the network slows everthing down so that pop is
*much* slower, it still has the advantage of not requiring access to the
password file.  Also if it doesn't log illegal attempts, then it beats
other methods of trying to get in.

Getting in the first time is the hardest part of breaking a system.  Once
inside, the number of ways to gain root access are sometimes tremendous.
I'd rather keep the intruder outside, where it's very hard to get in.