The Unix Heritage Society mailing list
 help / color / Atom feed
From: Adam Thornton <athornton@gmail.com>
To: Arthur Krewat <krewat@kilonet.net>
Cc: tuhs@minnie.tuhs.org
Subject: Re: [TUHS] Recovered /etc/passwd files
Date: Wed, 9 Oct 2019 15:05:29 -0700
Message-ID: <CAP2nic2g47RBxDhyvrDBSLSnd6j_bNeSfzkWhOShEFFpWMRhKA@mail.gmail.com> (raw)
In-Reply-To: <3a088340-49bd-b828-cd38-99b35e39ae42@kilonet.net>

[-- Attachment #1: Type: text/plain, Size: 1164 bytes --]

It is, if nothing else, a nice example of Moore's Law.

Here's a thing on the distribution tape (at least, I assume it was; happy
to be wrong here) but which was assumed to be fundamentally safe, because
it was computationally infeasible to rainbow-table the hash...so why not
leave your real password hash on the images you gave to the world?

40 years later, it's obviously within the reach of hobbyists spending, I
presume, essentially zero dollars to do the computational work (at least, I
hope no one sunk more than a few bucks on doing it).

...which is why we went to salted passwords, and shadow pw files that hid
the hashes while leaving the other fields available to all users, and more
secure and longer hashes than original crypt(1), quite some time ago.

In fact there's an interesting little essay about the history of that arms
race up until about 33 years ago in the 1986 Unix System Manager's Manual,
Section 18.  It's by two guys named Morris and Thompson.

On Wed, Oct 9, 2019 at 2:16 PM Arthur Krewat <krewat@kilonet.net> wrote:

> On 10/9/2019 5:09 PM, Warner Losh wrote:
> > Only if he still uses it for online banking... :)
>
> LMFAO.
>
>
>

[-- Attachment #2: Type: text/html, Size: 1604 bytes --]

<div dir="ltr"><div>It is, if nothing else, a nice example of Moore&#39;s Law.</div><div><br></div><div>Here&#39;s a thing on the distribution tape (at least, I assume it was; happy to be wrong here) but which was assumed to be fundamentally safe, because it was computationally infeasible to rainbow-table the hash...so why not leave your real password hash on the images you gave to the world?<br></div><div><br></div><div>40 years later, it&#39;s obviously within the reach of hobbyists spending, I presume, essentially zero dollars to do the computational work (at least, I hope no one sunk more than a few bucks on doing it).</div><div><br></div><div>...which is why we went to salted passwords, and shadow pw files that hid the hashes while leaving the other fields available to all users, and more secure and longer hashes than original crypt(1), quite some time ago.</div><div><br></div><div>In fact there&#39;s an interesting little essay about the history of that arms race up until about 33 years ago in the 1986 Unix System Manager&#39;s Manual, Section 18.  It&#39;s by two guys named Morris and Thompson.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 9, 2019 at 2:16 PM Arthur Krewat &lt;<a href="mailto:krewat@kilonet.net">krewat@kilonet.net</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 10/9/2019 5:09 PM, Warner Losh wrote:<br>
&gt; Only if he still uses it for online banking... :)<br>
<br>
LMFAO.<br>
<br>
<br>
</blockquote></div>

  reply index

Thread overview: 63+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-08 18:38 Norman Wilson
2019-10-08 18:51 ` Arthur Krewat
2019-10-08 21:02   ` Dave Horsfall
2019-10-08 21:22     ` Arthur Krewat
2019-10-09  5:49       ` Nigel Williams
2019-10-09  5:52         ` Nigel Williams
2019-10-09  6:00           ` Warner Losh
2019-10-09  8:16             ` Andy Kosela
2019-10-09  8:53               ` Ken Thompson via TUHS
2019-10-09  9:16                 ` Leah Neukirchen
2019-10-09 23:04           ` Dave Horsfall
2019-10-10  6:31             ` Vincenzo Nicosia
2019-10-09 19:59         ` Rob Pike
2019-10-09 20:09           ` Kurt H Maier
2019-10-09 21:05             ` Bakul Shah
2019-10-09 21:09               ` Warner Losh
2019-10-09 21:16                 ` Arthur Krewat
2019-10-09 22:05                   ` Adam Thornton [this message]
2019-10-09 23:28                     ` Steffen Nurpmeso
2019-10-11 12:28             ` Anthony Martin
2019-10-09 20:14           ` Arthur Krewat
2019-10-10 20:24           ` Clem Cole
2019-10-10 20:38             ` Nemo
2019-10-10 20:52               ` John P. Linderman
2019-10-11  6:24               ` Dave Horsfall
2019-10-11 11:09                 ` William Pechter
2019-10-11 23:46           ` Finn O'Leary
2019-10-12  0:21             ` Arthur Krewat
2019-10-10  8:21         ` Dan Cross
2019-10-10 11:58           ` Arthur Krewat
2019-10-10 12:07             ` Leah Neukirchen
2019-10-18 14:34               ` Arthur Krewat
2019-10-18 15:01                 ` Royce Williams
2019-10-18 15:05                   ` Royce Williams
2019-10-18 18:32                   ` Royce Williams
2019-10-19 13:11                     ` John P. Linderman
2019-10-10 13:57           ` Henry Bent
2019-10-10 14:05             ` Arthur Krewat
2019-10-15 16:32               ` Michael Kjörling
2019-10-10 14:10             ` Leah Neukirchen
2019-10-11  2:49             ` Dave Horsfall
2019-10-08 20:52 ` Dave Horsfall
2019-10-08 21:15   ` Michael Kjörling
  -- strict thread matches above, loose matches on Subject: below --
2019-10-19 13:45 Norman Wilson
2019-10-19 20:27 ` ewe2
2019-10-19 20:41   ` Arthur Krewat
2019-10-03 18:51 Finn O'Leary
2019-10-03 19:30 ` Leah Neukirchen
2019-10-03 20:41   ` Finn O'Leary
2019-10-03 22:04     ` Steffen Nurpmeso
2019-10-03 23:24     ` Dave Horsfall
2019-10-04  0:59       ` WIlliam Cheswick
2019-10-04 16:08         ` Arthur Krewat
2019-10-04 10:29       ` Leah Neukirchen
2019-10-04 15:05         ` Ken Thompson via TUHS
2019-10-05 18:05   ` Tom Jones
2019-10-08 17:38     ` Arthur Krewat
2019-10-08 20:40       ` Dave Horsfall
2019-10-08 20:57         ` Arthur Krewat
2019-10-09 12:55       ` Leah Neukirchen
2019-10-09 16:17         ` Arthur Krewat
2019-10-05 17:29 ` Michael Kjörling
2019-10-05 17:49   ` Arthur Krewat

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAP2nic2g47RBxDhyvrDBSLSnd6j_bNeSfzkWhOShEFFpWMRhKA@mail.gmail.com \
    --to=athornton@gmail.com \
    --cc=krewat@kilonet.net \
    --cc=tuhs@minnie.tuhs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

The Unix Heritage Society mailing list

Archives are clonable: git clone --mirror http://inbox.vuxu.org/tuhs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.tuhs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git