Long shadow passwords less secure than normal ones?

Long shadow passwords less secure than normal ones?

Post by Bernd Mey » Sat, 04 Sep 1993 05:42:55



Hi,

I recently looked through the source of the shadow-packet and discovered
that, given a password longer than 8 characters, the routine pw_encrypt
simply splits it into two parts, one being the first 8 characters, the other
being the rest. These get encrypted separatly, and the result is stored
separatly.

This looks like an invitation for a security hole to me - most people (me
included) tend to think "A long password is a good password". And, as we all
know, a password should containn some punctuation and some non-letters. Now

Crack. One part that is encrypted is just some variation of "receiver", the
other one is only three characters long.

So the long passwords in the current shadow implementation look more like
two passwords to Crack, one of which can probably broken by brute force
(even the second part of a 13 character password could be found within a
couple of hours), the other one probably less obscured by digits/punctuation
than a standard one.

My advice for system administrators thus seems to be: "Either force your
users to use REALLY long words and make sure that they know the way the
passwords are encrypted, or recompile the shadow stuff without the option
for long passwords enabled."

Bernie

--
We both know that the earth is round         | Bernd Meyer, EE-student
So we can't see the way before us to its end | "Nobody is a failure who has
We walk on this way, hand in hand,           |  friends" (from: isn't it a    
And I hope you are still with me behind the horizon| wonderful life?"

 
 
 

Long shadow passwords less secure than normal ones?

Post by Tim Mill » Sat, 04 Sep 1993 22:06:42



>Hi,
>I recently looked through the source of the shadow-packet and discovered
>that, given a password longer than 8 characters, the routine pw_encrypt
>simply splits it into two parts, one being the first 8 characters, the other
>being the rest. These get encrypted separatly, and the result is stored
>separatly.
>This looks like an invitation for a security hole to me - most people (me
>included) tend to think "A long password is a good password". And, as we all
>know, a password should containn some punctuation and some non-letters. Now

>Crack. One part that is encrypted is just some variation of "receiver", the
>other one is only three characters long.
>[Rest deleted]

If I remeber the purpose of shadow passwords correctly, the shadow
password file is root read only (the regular passwd file is still
there, but passwords are in separate file).  No one else could read it.  So,
unless someone makes the blatant goof of making it world readable,
there should be no problem.  No one could get the file to crack it.

Tim Miller

------------------------------------------------------------------------------
Tim Miller                   |  "The only thing we have to fear, is fear     |

                             | "Within each of us lies the power of our      |
Mississippi State University |  consent to health and to sickness, to riches |
Major:  Chemistry/Physics    |  and to poverty, to freedom and to slavery.   |
Minor:  Computer Science     |  It is we who control these, and not another" |
                             |      ---Illusions, by Richard Bach            |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 
 
 

Long shadow passwords less secure than normal ones?

Post by Ralph Doncast » Sun, 05 Sep 1993 01:22:56


   Hi,

   I recently looked through the source of the shadow-packet and discovered
   that, given a password longer than 8 characters, the routine pw_encrypt
   simply splits it into two parts, one being the first 8 characters, the other
   being the rest. These get encrypted separatly, and the result is stored
   separatly.

   This looks like an invitation for a security hole to me - most people (me
   included) tend to think "A long password is a good password". And, as we all
   know, a password should containn some punctuation and some non-letters. Now

   Crack. One part that is encrypted is just some variation of "receiver", the
   other one is only three characters long.

   So the long passwords in the current shadow implementation look more like
   two passwords to Crack, one of which can probably broken by brute force
   (even the second part of a 13 character password could be found within a
   couple of hours), the other one probably less obscured by digits/punctuation
   than a standard one.

   My advice for system administrators thus seems to be: "Either force your
   users to use REALLY long words and make sure that they know the way the
   passwords are encrypted, or recompile the shadow stuff without the option
   for long passwords enabled."

   Bernie

Since the passwords are shadowed, assuming there are no other gaping
security holes in the system, then they would never be able to read the
encrypted passwords anyway.
If they can read the shadowed passwords, then they most likely already
have root privileges, so it's game over.
-Ralph
--
Ralph Doncaster, computer consultant    Bell Sygma Telecomm Solutions


 
 
 

Long shadow passwords less secure than normal ones?

Post by Jason Haa » Sun, 05 Sep 1993 11:01:33



>    Some telnet's and telnetd's support encryption, perhaps this would
> be good to get for linux...

Sure! But that assumes you can find the clients that will interoperate
with it...

I am sure it will happen - the industry can't afford to carry on with such
a glaring hole (even though it doesn't seem to be exploited too much...)

 --

Cheers

Jason Haar, Network Consultant

 
 
 

Long shadow passwords less secure than normal ones?

Post by Peter Gutma » Tue, 07 Sep 1993 15:47:32




>   I recently looked through the source of the shadow-packet and discovered
>   that, given a password longer than 8 characters, the routine pw_encrypt
>   simply splits it into two parts, one being the first 8 characters, the other
>   being the rest. These get encrypted separatly, and the result is stored
>   separatly.
>   This looks like an invitation for a security hole to me - most people (me
>   included) tend to think "A long password is a good password". And, as we all
>   know, a password should containn some punctuation and some non-letters. Now

>   Crack. One part that is encrypted is just some variation of "receiver", the
>   other one is only three characters long.
>Since the passwords are shadowed, assuming there are no other gaping
>security holes in the system, then they would never be able to read the
>encrypted passwords anyway.

If the use of shadowed passwords is so secure then why bother encrypting
them at all?  Why not just rely on the security through obscurity technique?

(I know the answer to the security through obscurity question so don't flood
my mailbox :-).  BTW Ultrix's crypt16 used to have this problem as well, I'm
not sure if it's been fixed.  If you're going to use an incompatible method
of password encryption why not go to something secure like MD5 or SHS with a
64-bit IV (= 'salt')?

Peter.

 
 
 

Long shadow passwords less secure than normal ones?

Post by Jason Haa » Sun, 05 Sep 1993 09:29:59



> Do you ever log in as root (even with "su" from a real account) over
> the net?  If so, your password goes unencrypted over the ethernet
> for all with a network analyzer to read.

Yeah - just like it does under DECnet and LAT too...

Basically most terminal-based logins send passwords in the clear...

--

Cheers

Jason Haar, Network Consultant

 
 
 

Long shadow passwords less secure than normal ones?

Post by Larry Doolitt » Sun, 05 Sep 1993 01:54:27



Quote:Miller) writes:

> If I remeber the purpose of shadow passwords correctly, the shadow
> password file is root read only (the regular passwd file is still
> there, but passwords are in separate file).  No one else could read it.  So,
> unless someone makes the blatant goof of making it world readable,
> there should be no problem.  No one could get the file to crack it.

                               ^^^^^^
Better to say "not everybody and his brother" could get the file.
Overall *nix security is not the greatest, nor is it intended to be.
It is relevant to plug as many of the easy holes as possible, like
with shadow passwords.

Do you ever log in as root (even with "su" from a real account) over
the net?  If so, your password goes unencrypted over the ethernet
for all with a network analyzer to read.


 
 
 

Long shadow passwords less secure than normal ones?

Post by Frank Lofa » Sun, 05 Sep 1993 10:12:44




>> Do you ever log in as root (even with "su" from a real account) over
>> the net?  If so, your password goes unencrypted over the ethernet
>> for all with a network analyzer to read.

>Yeah - just like it does under DECnet and LAT too...

>Basically most terminal-based logins send passwords in the clear...

        Some telnet's and telnetd's support encryption, perhaps this would
be good to get for linux...
 
 
 

Long shadow passwords less secure than normal ones?

Post by Leif Kornstae » Mon, 06 Sep 1993 10:50:31



>Do you ever log in as root (even with "su" from a real account) over
>the net?  If so, your password goes unencrypted over the ethernet
>for all with a network analyzer to read.

Why exactly would you want to crack user passwords if you have root
access?

Leif.
--
Leif Kornstaedt               | ``Computers are good at following instructions,

            GCS/M d p c++ l++ u++ e+ m++ s n+ h+ f+ g+ w t+ r+ y?

 
 
 

Long shadow passwords less secure than normal ones?

Post by Ruediger Helsch Ram » Wed, 08 Sep 1993 03:28:40


The 16-character handling of the shadow password package seems suboptimal.
Though I think it is better than the standard Unix procedure which discards
everything but the first eight characters: At our place I cracked the passwords
of some users, and found they had used long words with some special
characters, but the first eight characters formed a simple word.
How could they know that their good passwords were silently truncated?

I think the best solution would be to XOR the characters past the eighth
character with the others, like this:

        ThisIsAV
        eryLongA
        ndGoodPa
        ssword
        -------- (XOR characters in the same column).
        XXXXXXXX (Crypt this value)

The XORed password would form a pretty random and difficult to guess
word. This would work with arbitrary long passwords, and it would be
compatible to systems that don't use this procedure as long as short
passwords are used.


 
 
 

Long shadow passwords less secure than normal ones?

Post by Peter Gutma » Wed, 08 Sep 1993 22:24:29



Quote:>The 16-character handling of the shadow password package seems suboptimal.
>Though I think it is better than the standard Unix procedure which discards
>everything but the first eight characters: At our place I cracked the passwords
>of some users, and found they had used long words with some special
>characters, but the first eight characters formed a simple word.
>How could they know that their good passwords were silently truncated?
>I think the best solution would be to XOR the characters past the eighth
>character with the others, like this:
>    ThisIsAV
>    eryLongA
>    ndGoodPa
>    ssword
>    -------- (XOR characters in the same column).
>    XXXXXXXX (Crypt this value)

This is a Bad Thing.  xor is a linear transformation - all you'll be doing
is flipping bits in some predetermined manner (eg if you map 16 -> 8 chars
by xoring then you'll end up clearing the high bits which the two lots of
chars will have in common).  Since people will use standard phrases rather

passwords, it will allow you to perform a frequency analysis of the language
in use and determine the most common bit patterns which will result from
this xor-ing.  The longer the password, the closer the statistical analysis
will be to the real text.  You can then use the probable bit-patterns to
mount an attack.  This may even be easier than an attack on the standard
password system.

I'll repeat again what I said in a previous message, if you're going to make
an incompatible change you may as well use a secure algorithm like MD5 or
SHS to do it.

Peter.
--


             (In order of preference - one of 'em's bound to work)
                  -- Nostalgia isn't what it used to be --

 
 
 

Long shadow passwords less secure than normal ones?

Post by Bob Sma » Fri, 10 Sep 1993 17:23:03





> >Do you ever log in as root (even with "su" from a real account) over
> >the net?  If so, your password goes unencrypted over the ethernet
> >for all with a network analyzer to read.

> Why exactly would you want to crack user passwords if you have root
> access?

A network analyzer doesn't necessarily imply root access anywhere--it
means somebody has found a place on your network (whether it's an
ethernet, a phone tap, or whatever) to attach an analyzer.  Up to that
point, all they have is physical access to your cable, which is bad
enough--but after they've captured some passwords, THEN they have root
privileges on your systems as well.

Even if they already DO have root access on some system in your network,
it doesn't necessarily follow that they also have root on ALL the
machines in your network.  The same reasoning applies: before I capture
your other root passwords, all I have is root on my own boring little
workstation.  Afterward, I have root on (say) the master server and YOUR
workstation.

---------

A fanatic is someone who does what he knows that God would do if God knew the
facts of the case.

Some mailers apparently munge my address; you might have to use


 
 
 

Long shadow passwords less secure than normal ones?

Post by Detlef Lanne » Fri, 17 Sep 1993 00:17:31


 [...]

Quote:>>        ThisIsAV
>>        eryLongA
>>        ndGoodPa
>>        ssword
>>        -------- (XOR characters in the same column).
>>        XXXXXXXX (Crypt this value)

>This is a Bad Thing.

 [convincing explanation of why it's a Bad Thing deleted for brevity]

Quote:

>I'll repeat again what I said in a previous message, if you're going to make
>an incompatible change you may as well use a secure algorithm like MD5 or
>SHS to do it.

If the hashed (long) password is to be encrypted anyway, then the hash
algorithm need not be cryptographically secure; an easier (and faster)
algorithm than MD5 or SHA might do as well (like the one by Pearson
published in CACM June 1990, pp 677-680; I posted a C source to sci.crypt
a few weeks ago).

In this case there would be no incompatibility: Short passwords (<= 8 chars)
are encrypted as before; any longer password is hashed down to 8 bytes
and encrypted in the same way.

Thus a long password (or passphrase) is a substitute for some weird
8-byte string which would be hard to remember (and near impossible to
type in!).

--


Die Mathematiker sind eine Art Franzosen:  Redet man zu ihnen, so
uebersetzen sie es in ihre Sprache, und dann ist es alsobald ganz
etwas anderes.                         Johann Wolfgang von Goethe