From owner-freebsd-security Sat Dec 14 13:46:05 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA16359 for security-outgoing; Sat, 14 Dec 1996 13:46:05 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id NAA16338; Sat, 14 Dec 1996 13:46:01 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id OAA22244; Sat, 14 Dec 1996 14:23:11 -0700 From: Terry Lambert Message-Id: <199612142123.OAA22244@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: proff@iq.org (Julian Assange) Date: Sat, 14 Dec 1996 14:23:11 -0700 (MST) Cc: security@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: <199612140135.MAA04639@profane.iq.org> from "Julian Assange" at Dec 14, 96 12:35:25 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > The FreeBSD account administration pw suite is able to produce > "random" passwords for new accounts. Due to the simplicity of the > password generation algorithm involved, the passwords are easily > predictable amid a particular range of possibilities. This range > may be very narrow, depending on what sort of information is > available to the attacker. [ ... vunerability description elided ... ] I've noticed a similar restriction on the search space is caused by enforcing password length and use of particular values (digits, control characters, and capitalization) Once we add in "non-pronouncible" and "not in dictionary" and so on, I think that eventually, in the interests of "security", users will be forced to choose from a list of 10 or so "sufficiently safe" passwords. Of course, once that happens, we'll just publish the list... any restriction on "allowed values" is an implicit restriction of the search space a cracker is required to search, and makes cracking just that much easier. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.