Date: Fri, 2 Aug 1996 22:13:34 -0700 (PDT) From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu> To: brandon@tombstone.sunrem.com (Brandon Gillespie) Cc: freebsd-security@freebsd.org Subject: Re: Crack 4.1 patches for FBSD Message-ID: <199608030513.WAA02366@kdat.calpoly.edu> In-Reply-To: <Pine.BSF.3.91.960729165132.10431C-100000@tombstone.sunrem.com> from "Brandon Gillespie" at Jul 29, 96 04:56:30 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > Make a VERY slow crypt with very long output. Something > > in the order of 10s of seconds on a P6/200. It is of > > course annoying that things take that long, but dictionaries > > would be practically impossible. > > As long as the sleep is optional, and can be enabled/disabled with a > simple command (hooked into sysconfig). On some systems I would likely > enable it, but on most (like my workstation) I could frankly care less--I > feel secure enough in my local net from system to system (i.e. each system > is rather isolated), and the huge login times would simply get irritating > quickly. Unfortunately, a sleep would be inadequate against a dictionary attack. The actual algorithm (and hence the garbled password) would have to depend on a number of iterations sufficient to discourage this attack. Being able to disable it and still use the same crypt would add no additional security. I'm actually interested in a 'secure' release of FreeBSD, with daemons not running as root, no complicated mailers, few to no setuid binaries -- in essence, what I do to my FreeBSD systems as soon as I install them. Unfortunately, I have recently started a very demanding job and do not have the time to contribute to such a project. My apologies. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608030513.WAA02366>