Path: utzoo!utgpu!watmath!clyde!att!rutgers!cmcl2!nrl-cmf!ukma!tut.cis.ohio-state.edu!cwjcc!mailrus!uwmcsd1!marque!uunet!mcvax!ukc!stl!stc!james From: james@tcom.stc.co.uk (James Rouse) Newsgroups: comp.unix.wizards Subject: Re: random passwords (was Re: Worm...) Message-ID: <711@jura.tcom.stc.co.uk> Date: 1 Dec 88 11:42:02 GMT References: <28399@tut.cis.ohio-state.edu> <278@aber-cs.UUCP> <10896@ulysses.homer.nj.att.com> <4302@encore.UUCP> <79354@sun.uucp> Reply-To: james@htc2.UUCP (James Rouse) Distribution: eunet,world Organization: STC Telecomms, Harlow Technical Centre, Harlow Lines: 21 Larry Mcvoy writes:- >Add a field somewhere (/etc/failures?) that records the number of >failed attempts. If it reaches some maximum, disallow logins with >some message like: > ("Possible security risk: %d failed attempts\n", failed) >If the failed number is greater than MAXFAIL/2, then warn the user that >he ought to reset his password (to anything, including what it was). [stuff deleted] > >Wouldn't this be a much easier and more palatable way to solve the problem? No because (unless you have a shadow password file :-) see below) to try a password you simply get the encrypted version from etc/passwd,encrypt your guess and compare the two. The number of attempted logins to your name has nothing to do with this. If however etc/passwd was unreadable to the world then this method of attack would be ruled out. You wouldn't need a shadow passwd file then either. The one thing that seems to have been assumed in this argument is that de-encrypting passwords is impossible. It may be very difficult, but if people are talking about using a mainframe to encrypt the dictionary (!) and grep the password file why is everyone so sure that a mainframe cannot be used to reverse the encryption routine?