From: "Michael Kjörling" <michael@kjorling.se>
To: tuhs@tuhs.org
Subject: Re: [TUHS] Recovered /etc/passwd files
Date: Sat, 5 Oct 2019 17:29:44 +0000 [thread overview]
Message-ID: <20191005172944.GI20298@localhost> (raw)
In-Reply-To: <6dceffe228804a76de1e12f18d1fc0dc@inventati.org>
On 3 Oct 2019 18:51 +0000, from finnoleary@inventati.org (Finn O'Leary):
> password was something interesting like './,..,/' (it was entirely
> punctuation characters, was around three different characters in total, and
> was pretty damn short).
I'm a bit late to the party here (it's been a crazy week for me and
I'm only just now starting to catch up), but don't forget that hashed
Unix passwords back then were limited to eight bytes (actually I
believe the hard limit was 64 bits' worth of password, so if your
system used less than 8 bits per character, you could theoretically
cram more _characters_ into the password, but not more _entropy_,
which topped out at 2^64 no matter what you did, and in practice a
fair bit less because you wanted to be able to type it in).
Of course, this wasn't a problem in practice when even just hashing a
single candidate password took noticable fractions of a second. At 100
ms per hash, while you could exhaustively search the lower
alphanumerics four characters space within about two days (my
calculator says 1.944 * 86400 seconds for that) if you could hog the
computer for everyone, by the time you got to six characters the same
search would take almost 7 years, and eight characters the better part
of 9000 years (assuming you kept running it on the same hardware for
the duration).
Adding uppercase A-Z alongside lowercase a-z and 0-9 increases the
exhaustive search time even for the four characters password space to
about 17 days at 100 ms per hash. So with no additional information
for an attacker, even a [a-zA-Z0-9]{4} password was tolerably secure,
and a [a-zA-Z0-9]{5} one was more than good enough if you changed it
once a year (would take about three years to crack at 100 ms/hash).
William Cheswick mentioned 8e9 hashes per second. While that sounds
low for good ol' Unix crypt() to me, at that rate, an exhaustive
search of [a-z0-9]{8} would take about 353 days, again according to my
calculator. [a-z0-9]{4} would finish in about 18 seconds. My _guess_,
without having looked up current numbers, is that these figures are at
least some two orders of magnitude too high given modern hardware.
Just look at EFF's good ol' Deep Crack.
I wasn't really around much at the time, but if _The Cuckoo's Egg_ is
to be believed, the bigger problem was that people in general weren't
any better at choosing good passwords (or keeping them secret) back
then than they are today. That honestly wouldn't particularly surprise
me. Technology advances, but people remain largely the same?
--
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
“The most dangerous thought that you can have as a creative person
is to think you know what you’re doing.” (Bret Victor)
next prev parent reply other threads:[~2019-10-05 17:38 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-03 18:51 Finn O'Leary
2019-10-03 19:30 ` Leah Neukirchen
2019-10-03 20:41 ` Finn O'Leary
2019-10-03 22:04 ` Steffen Nurpmeso
2019-10-03 23:24 ` Dave Horsfall
2019-10-04 0:59 ` WIlliam Cheswick
2019-10-04 16:08 ` Arthur Krewat
2019-10-04 10:29 ` Leah Neukirchen
2019-10-04 15:05 ` Ken Thompson via TUHS
2019-10-05 18:05 ` Tom Jones
2019-10-08 17:38 ` Arthur Krewat
2019-10-08 20:40 ` Dave Horsfall
2019-10-08 20:57 ` Arthur Krewat
2019-10-09 12:55 ` Leah Neukirchen
2019-10-09 16:17 ` Arthur Krewat
2019-10-05 17:29 ` Michael Kjörling [this message]
2019-10-05 17:49 ` Arthur Krewat
2019-10-08 18:38 Norman Wilson
2019-10-08 18:51 ` Arthur Krewat
2019-10-08 21:02 ` Dave Horsfall
2019-10-08 21:22 ` Arthur Krewat
2019-10-09 5:49 ` Nigel Williams
2019-10-09 5:52 ` Nigel Williams
2019-10-09 6:00 ` Warner Losh
2019-10-09 8:16 ` Andy Kosela
2019-10-09 8:53 ` Ken Thompson via TUHS
2019-10-09 9:16 ` Leah Neukirchen
2019-10-09 23:04 ` Dave Horsfall
2019-10-10 6:31 ` Vincenzo Nicosia
2019-10-09 19:59 ` Rob Pike
2019-10-09 20:09 ` Kurt H Maier
2019-10-09 21:05 ` Bakul Shah
2019-10-09 21:09 ` Warner Losh
2019-10-09 21:16 ` Arthur Krewat
2019-10-09 22:05 ` Adam Thornton
2019-10-09 23:28 ` Steffen Nurpmeso
2019-10-11 12:28 ` Anthony Martin
2019-10-09 20:14 ` Arthur Krewat
2019-10-10 20:24 ` Clem Cole
2019-10-10 20:38 ` Nemo
2019-10-10 20:52 ` John P. Linderman
2019-10-11 6:24 ` Dave Horsfall
2019-10-11 11:09 ` William Pechter
2019-10-11 23:46 ` Finn O'Leary
2019-10-12 0:21 ` Arthur Krewat
2019-10-10 8:21 ` Dan Cross
2019-10-10 11:58 ` Arthur Krewat
2019-10-10 12:07 ` Leah Neukirchen
2019-10-18 14:34 ` Arthur Krewat
2019-10-18 15:01 ` Royce Williams
2019-10-18 15:05 ` Royce Williams
2019-10-18 18:32 ` Royce Williams
2019-10-19 13:11 ` John P. Linderman
2019-10-10 13:57 ` Henry Bent
2019-10-10 14:05 ` Arthur Krewat
2019-10-15 16:32 ` Michael Kjörling
2019-10-10 14:10 ` Leah Neukirchen
2019-10-11 2:49 ` Dave Horsfall
2019-10-08 20:52 ` Dave Horsfall
2019-10-08 21:15 ` Michael Kjörling
2019-10-19 13:45 Norman Wilson
2019-10-19 20:27 ` ewe2
2019-10-19 20:41 ` Arthur Krewat
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191005172944.GI20298@localhost \
--to=michael@kjorling.se \
--cc=tuhs@tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).