cracking passwords

cracking passwords

Post by matt ve » Tue, 26 Sep 2000 04:00:00



Hey all,

I have a question about cracking passwords.

I run john to check that my passwords are safe(ish).

I know that the way unix deals with passwords is to put them through a
one way hashing algorithm, and stores the result. So john tries to
crack passwords by using a word list (or just iterating), and hashing
the result and checking it against the password file.

What I am confused about is that this method seems to rely on knowing
the encryption algorithm beforehand. What if you don't? Surely this
would then make it much more difficult to crack passwords.

In the light of this, why do all unixes use the same crypt function
(or am I mistaken, and you need to know the unix flavour to know the
encrytion algorithm). And why not choose from 500 different algorithms
when you config your system to make it much harder?

Thanks for any info!

Matt

 
 
 

cracking passwords

Post by Mike Fischbei » Tue, 26 Sep 2000 04:00:00



Quote:> What I am confused about is that this method seems to rely on knowing
> the encryption algorithm beforehand. What if you don't? Surely this
> would then make it much more difficult to crack passwords.

Well, that depends on how good the encryption algorithm you
use is.  I mean, I'll use the best one on my system, and you
can keep your passwords in ROT13.  Seriously, some systems
have started putting in the option for using different hash
algorithms -- that's part of what Pluggable Authentication
Modules (PAM) offer.

Quote:> In the light of this, why do all unixes use the same crypt function
> (or am I mistaken, and you need to know the unix flavour to know the
> encrytion algorithm). And why not choose from 500 different algorithms
> when you config your system to make it much harder?

They use the same function so that the hashes can be shared and
thus users can use the same passwords on different vendor's systems.
In a way, they do choose different algorithms for each password
(not each system) -- see what the "salt" does.

        mike

--

Any opinions  expressed are  mine and not necessarily
those of any other entity. They may not even be mine.

 
 
 

cracking passwords

Post by Alun Jon » Tue, 26 Sep 2000 04:00:00




> In the light of this, why do all unixes use the same crypt function
> (or am I mistaken, and you need to know the unix flavour to know the
> encrytion algorithm). And why not choose from 500 different algorithms
> when you config your system to make it much harder?

Is that 500 different algorithms, or one algorithm with five hundred
parameters?

Note that this is essentially what the 'salt' in a Unix password does - it
permutes the algorithm (or more precisely, its tables) in one of 4096 ways
before encrypting the password.

Note that choosing an algorithm and hoping that noone figures it out would
be akin to security by obscurity.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at

Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.

 
 
 

cracking passwords

Post by Alan J Rosenth » Wed, 27 Sep 2000 10:52:43



>What I am confused about is that this method seems to rely on knowing
>the encryption algorithm beforehand. What if you don't?

Well, normally in cryptology we assume that the attacker knows the
algorithm...

and normally we are careful NOT to be secretive about algorithms, because the
peer review process is the only way to gain confidence in the cryptographic
properties of an algorithm, that there aren't shorter ways to compute
equivalent functions and that sort of thing.

Quote:>Surely this would then make it much more difficult to crack passwords.

I disagree, for indirect reasons:

Quote:>And why not choose from 500 different algorithms
>when you config your system to make it much harder?

Because it's much more effective to choose one of the best algorithms.
You figure out your constraints (including how slowly it can be permitted to
run) and you choose a good algorithm within those constraints.  *This* is the
technique for making the passwords hard to crack.

"Random numbers should not be generated by a method chosen at random."
                                -- attributed to Donald Knuth

 
 
 

cracking passwords

Post by matt ve » Wed, 27 Sep 2000 04:00:00


Ok, thanks for all the help.

I have one more question.

How would you go about cracking a password that was encrypted using an
unknown and completely new algorithm?

Thanks
Matt

 
 
 

cracking passwords

Post by Arthur Clun » Wed, 27 Sep 2000 04:00:00


: How would you go about cracking a password that was encrypted using an
: unknown and completely new algorithm?

Learn maths. Read about cryptoanalysis. Enjoy.

Arthur

--
Arthur Clune
Cosmologists are often in error but never in doubt - Lev Landau

 
 
 

cracking passwords

Post by Alun Jon » Wed, 27 Sep 2000 04:00:00




> Ok, thanks for all the help.

> I have one more question.

> How would you go about cracking a password that was encrypted using an
> unknown and completely new algorithm?

Get a job as a janitor for the company that developed the algorithm.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at

Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.

 
 
 

cracking passwords

Post by matt ve » Thu, 28 Sep 2000 04:00:00


Hmm. Does anyone have any knowledge as to how you would do this?

I know very little about cryptography, but it seems to me that if you
don't know the algorithm, and can't get the source - then you will
have to try to crack the password by incrementally guessing it. Which
is really the best you can hope for.

Thanks,
Matt

 
 
 

cracking passwords

Post by Andreas Gunnarsso » Thu, 28 Sep 2000 04:00:00



> I know very little about cryptography, but it seems to me that if you
> don't know the algorithm, and can't get the source - then you will
> have to try to crack the password by incrementally guessing it. Which
> is really the best you can hope for.

If you've come up with a secure way to store the algorithm and the program
implementing it, why don't you just store the information unencrypted the
same way instead of encrypting it?

   Andreas

--

Carlstedt Research & Technology
Phone: +46 31 7014268
Mobile: +46 70 4262889
Fax: +46 31 101987

 
 
 

cracking passwords

Post by Bill Unr » Thu, 28 Sep 2000 04:00:00



]Hmm. Does anyone have any knowledge as to how you would do this?

What password?

]I know very little about cryptography, but it seems to me that if you
]don't know the algorithm, and can't get the source - then you will

You do know the algorithm. You do know the source.

]have to try to crack the password by incrementally guessing it. Which
Yes, that is often the best you can do

]is really the best you can hope for.