Path: utzoo!utgpu!watmath!clyde!att!rutgers!cmcl2!nrl-cmf!ukma!tut.cis.ohio-state.edu!cwjcc!mailrus!uwmcsd1!marque!uunet!mcvax!ukc!stl!stc!james
From: james@tcom.stc.co.uk (James Rouse)
Newsgroups: comp.unix.wizards
Subject: Re: random passwords (was Re: Worm...)
Message-ID: <711@jura.tcom.stc.co.uk>
Date: 1 Dec 88 11:42:02 GMT
References: <28399@tut.cis.ohio-state.edu> <278@aber-cs.UUCP> <10896@ulysses.homer.nj.att.com> <4302@encore.UUCP> <79354@sun.uucp>
Reply-To: james@htc2.UUCP (James Rouse)
Distribution: eunet,world
Organization: STC Telecomms, Harlow Technical Centre, Harlow
Lines: 21

Larry Mcvoy writes:-
>Add a field somewhere (/etc/failures?) that records the number of 
>failed attempts.  If it reaches some maximum, disallow logins with 
>some message like:
>	("Possible security risk: %d failed attempts\n", failed)
>If the failed number is greater than MAXFAIL/2, then warn the user that
>he ought to reset his password (to anything, including what it was).
[stuff deleted]
>
>Wouldn't this be a much easier and more palatable way to solve the problem?

No because (unless you have a shadow password file :-) see below) to try a 
password you simply get the encrypted version from etc/passwd,encrypt your guess
 and compare the two. The number of attempted logins to your name has nothing
 to do with this.
If however etc/passwd was unreadable to the world then this method of attack
would be ruled out. You wouldn't need a shadow passwd file then either.
The one thing that seems to have been assumed in this argument is that
de-encrypting passwords is impossible. It may be very difficult, but if people
are talking about using a mainframe to encrypt the dictionary (!) and grep the
password file why is everyone so sure that a mainframe cannot be used to reverse the encryption routine?