Fundamentals of UNIX passwords
                    ------------------------------
                          By: Mr. Slippery


I will answer the following questions:

What are good passwords? What are bad passwords? Why does UNIX
system V require 6 character passwords with funny characters?
How long would it take to break ANY 6 character password.

In 1981, Rober Morris and Ken Thompson wrote up their findings about
passwords. The document is called "Password Security - A Case History"
and is present in the documentation for some versions of UNIX.

They did a survey of various systems ands found that out of 3,289
passwords 15 were a single character, 72 were 2 characters long,
464 were 3 chars, 477 where 4 alphanumeric, 706 were 5 letters,
605 were 6 letters, all lower case and 492 appeared in various
dictionaries. 86% of the passwords were thus easily breakable if
you have a password hacker and access to the password file. This
is why UNIX V requires a minimum 6 characters some of which must
not be letters.


The article also said that some "good" things to try are dictionary
entries with the words spelled backwards, list of first names, last
names, street names, city names, (try with an inital upper case
letter as well), valid license plate numbers in your state, room
numbers, telephone numbers and the like.

Some others have suggested that people use woman's names (with a
trailing digit), their logins repeated or massaged (login abc,
password abcabc, cbacba), anything in the "GECOS" (comment) field of
the password file and anything significant that you know about the
person (their kid's name).

But what about trying every possible password? How long would it take?
The article had some numbers based on a PDP 11/70. It showed that 6
character passwords were too hard to break by exhaustive search if
someone was forced to use more than just letters and numbers. Using
all 95 printable characters, it would take a PDP 11/70 about 33 years
to try all of them. BUT TIMES ARE CHANGING. One fine weekend I tried
the same experiement with a modern 25MHz computer. From 33 years its
down to 6 months. If you have access to a mainframe or cray, it could
be a matter of days or weeks to break a password.

Of course, this is not something that would go unnoticed. Using up all
the resources of a CRAY would show up but over a long weekend, who
knows? If people are paying attention to the system activity (sar)
they will notice that you've used up all the system resources and
start asking potentially embarresing questions.

If you have a bunch of friends to help and divide up the job,
it could be a lot faster. Naturally though, it has to be worth your
time and effort. Someone running Xenix or MINIX on a PC is hardly
worth the effort.

And if the person was using 7 or 8 character passwords it would take
just too long.

If you examine the password encryptation method that UNIX uses, you
will notice that a 'salt' is used. This can have 4K (4,096 for the
uninitiated) values so generating every possible password IN ADVANCE
would take 4K times whatever the time required so its not worth the
attempt either.

How long will the 'door' be open? This fact that people are getting
better and better at guessing passwords in not lost on all concerned.
AT&T has put something called "password shadowing" in their latest
release (V.3.2). Basically what they did is to make the password file
unreadable by anyone but root. This stops people from taking the
password file to another machine and working on it at leasure. SUN and
IBM are doing similar things (hang around USENIX/Uniforum when the
shows come to your town to see what they are up to).

Well, what is this all leading up to? Are people going to give up
their hobby? Just between you and me, I kind of doubt it. Password
'shadowing' is optional, after all. People will still choose bad
passwords or even no passwords. Many people will not load the lastest
operating systems.

On the other hand, its not only UNIX systems that people choose bad
passwords for. I assume that I could break many hackers and phreaks
passwords on various boards but that would be unfriendly and get me
into trouble, so I won't try :-) (for the novice, this is a smiley
face and means that I'm joking :-( is a frown). Those out there who
are sysops might want to see what people choose for passwords since
I assume we're almost as lazy as other people. Me, I don't use
anything that you could guess except on one board that had trouble
with a special characters!

Writing a password cracker: On UNIX, at least, this is simple assuming
you have access to the 'domestic' version. The 'international' version
has the crypt function deleted. I don't know why they bothered since
all the KGB has to do is visit any one of 10,000 sites with UNIX
source code but I guess the government likes to play "lets pretend".

By the way, in case you are waiting for a nice cheap FAST DES chip to
come out, the UNIX people did not exactly use DES. They diddled it a
bit to stop hardware from making the job too fast.

I assume that the principles I've talked about here apply to other
operating systems. Some are a LOT easier. The earlier versions of the
Pick operating system did not even encrypt the passwords. All you had
to do was to 'dump' the right 'frame' of disk to see them! I think
that some of the mainframe packages such as RACF or ACF2 don't encrypt
but I'm not 100% sure.

A final thought: one thing to look for in general are assumptions made
a number of years ago that people have not reexamined. Exhaustive
searches of 6 character passwords is just one example. I'm sure there
are others.

    This is one of MANY Great MYSTERY Notes at:


                 The Mystery Zone
                  (312) 231-6193