From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 0b461705 for ; Wed, 9 Oct 2019 22:06:14 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id ACA929475D; Thu, 10 Oct 2019 08:06:13 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 132FF93D40; Thu, 10 Oct 2019 08:05:46 +1000 (AEST) Authentication-Results: minnie.tuhs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="UrpRrvgE"; dkim-atps=neutral Received: by minnie.tuhs.org (Postfix, from userid 112) id B4C9593D40; Thu, 10 Oct 2019 08:05:43 +1000 (AEST) Received: from mail-oi1-f176.google.com (mail-oi1-f176.google.com [209.85.167.176]) by minnie.tuhs.org (Postfix) with ESMTPS id 2EA2C93D09 for ; Thu, 10 Oct 2019 08:05:43 +1000 (AEST) Received: by mail-oi1-f176.google.com with SMTP id x3so3161090oig.2 for ; Wed, 09 Oct 2019 15:05:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1raAZXcD7Tl6DUR6Ijxv/Kea6TayhqbodFHAEcwUa8Y=; b=UrpRrvgEmh4DO8yLiQlFnLY7jBwFoJ/EpKaJ36amlgxGNrX5Y6EgABqdHxYVvUxHoN 2/0BjSCS3g1X+s1kvg4Vck6BbqDIHTrWgw+cgPfS4n3HxtVpHOgvudYW43pDcpStSbrq uNm5q87JPzkZ0zlYicn5lqdAi5KaHfa7YlNtSfDQ3bfqRv6Z5f1ilLSno17Y9B/tmXLO nWuPAv/5a0AtaYG6S/HNWDjdSWBISDRJCP8j1rpe0flVUl0Cgui/v74SXYw8SxlIJ4Fj XGWHGKQeIO4BF+SAnGEhPri+9nFtUHJrchBs+BIFMwaKkwux7RbfswaUrrsXRqQf7/Am A3aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1raAZXcD7Tl6DUR6Ijxv/Kea6TayhqbodFHAEcwUa8Y=; b=MiinP3H0cbCgWNsbW/vpz2ahrm+OzcXtLJyARyzCLtwtt+rp+dfQaN2477p9q09Kys ta5j1Sc8IblZ0NSBoVEMJRSo9IJ8NLJs40iPgevUh2NWPxiImRBKkQJVL8kEN7UIMKcv lnqJvc91GKFeRmFNu/iw+bYjoYOP0IIyHhadQlVqnv4OxfB7uGoKeiI6A0+PwzOG6/VM t1YhSl2rKoySULzg8ueu9dBhl00ldgggoKEZybMQ+b3RvQWwLgyMqLlvTUaaJv2JK1Q6 4ZOVnpxu3sgUkIQyL+puukpwjJAmmiEg7lbgi0c92i0iQCRRinF6jtkA/n2bGtRV1SDS jYKA== X-Gm-Message-State: APjAAAXQe74NKBBRxZIarLruXH2/cxcggMIvGnaDgvzHcSPfDgTVWVUU yd9sgE6aTFacAqLhEzMnhd5NJhHhFg9F01HOe6bhmA== X-Google-Smtp-Source: APXvYqzSNuVR1prcXaz0Vku4YF1PLDeDP/aijWxAKE9S12IFLzWnnftOpPdKT54MAIrV3d1cmQMXN0kZHd3Kgduuwng= X-Received: by 2002:aca:882:: with SMTP id 124mr4563414oii.54.1570658742101; Wed, 09 Oct 2019 15:05:42 -0700 (PDT) MIME-Version: 1.0 References: <1570559927.29337.for-standards-violators@oclsc.org> <2e6e1005-3bbf-5dcc-3fcc-099864c752dc@kilonet.net> <8088e5bd-3530-d3e1-8066-db6ea9389dea@kilonet.net> <20191009200942.GA73878@wopr> <20191009210513.B3660156E80B@mail.bitblocks.com> <3a088340-49bd-b828-cd38-99b35e39ae42@kilonet.net> In-Reply-To: <3a088340-49bd-b828-cd38-99b35e39ae42@kilonet.net> From: Adam Thornton Date: Wed, 9 Oct 2019 15:05:29 -0700 Message-ID: To: Arthur Krewat Content-Type: multipart/alternative; boundary="00000000000062ebc60594817cd3" Subject: Re: [TUHS] Recovered /etc/passwd files X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: tuhs@minnie.tuhs.org Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" --00000000000062ebc60594817cd3 Content-Type: text/plain; charset="UTF-8" It is, if nothing else, a nice example of Moore's Law. Here's a thing on the distribution tape (at least, I assume it was; happy to be wrong here) but which was assumed to be fundamentally safe, because it was computationally infeasible to rainbow-table the hash...so why not leave your real password hash on the images you gave to the world? 40 years later, it's obviously within the reach of hobbyists spending, I presume, essentially zero dollars to do the computational work (at least, I hope no one sunk more than a few bucks on doing it). ...which is why we went to salted passwords, and shadow pw files that hid the hashes while leaving the other fields available to all users, and more secure and longer hashes than original crypt(1), quite some time ago. In fact there's an interesting little essay about the history of that arms race up until about 33 years ago in the 1986 Unix System Manager's Manual, Section 18. It's by two guys named Morris and Thompson. On Wed, Oct 9, 2019 at 2:16 PM Arthur Krewat wrote: > On 10/9/2019 5:09 PM, Warner Losh wrote: > > Only if he still uses it for online banking... :) > > LMFAO. > > > --00000000000062ebc60594817cd3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
It is, if nothing else, a nice example of Moore's= Law.

Here's a thing on the distribution tape = (at least, I assume it was; happy to be wrong here) but which was assumed t= o be fundamentally safe, because it was computationally infeasible to rainb= ow-table the hash...so why not leave your real password hash on the images = you gave to the world?

40 years later, it'= s obviously within the reach of hobbyists spending, I presume, essentially = zero dollars to do the computational work (at least, I hope no one sunk mor= e than a few bucks on doing it).

...which is why w= e went to salted passwords, and shadow pw files that hid the hashes while l= eaving the other fields available to all users, and more secure and longer = hashes than original crypt(1), quite some time ago.

In fact there's an interesting little essay about the history of that= arms race up until about 33 years ago in the 1986 Unix System Manager'= s Manual, Section 18.=C2=A0 It's by two guys named Morris and Thompson.=

On Wed, Oct 9, 2019 at 2:16 PM Arthur Krewat <krewat@kilonet.net> wrote:
On 10/9/2019 5:09 PM, Warner Losh w= rote:
> Only if he still uses it for online banking... :)

LMFAO.


--00000000000062ebc60594817cd3--