UNIX Password Security - Ten Years Later

  • David C. Feldmeier
  • Philip R. Karn
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 435)


Passwords in the UNIX operating system are encrypted with the crypt algorithm and kept in the publicly-readable file /etc/passwd. This paper examines the vulnerability of UNIX to attacks on its password system. Over the past 10 years, improvements in hardware and software have increased the crypts/second/dollar ratio by five orders of magnitude. We reexamine the UNIX password system in light of these advances and point out possible solutions to the problem of easily found passwords. The paper discusses how the authors built some high-speed tools for password cracking and what elements were necessary for their success. These elements are examined to determine if any of them can be removed from the hands of a possible system infiltrator, and thus increase the security of the system. We conclude that the single most important step that can be taken to improve password security is to increase password entropy.


Smart Card Table Lookup Data Encryption Standard Plain Text Attack UNIX Operating System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    Robert W. Baldwin. MIT fdes 5 (crypt) source code.Google Scholar
  2. [2]
    Matt Bishop. An application of a fast data encryption standard implementation. Computing Systems, 1(3):221–254, Summer 1988.MathSciNetGoogle Scholar
  3. [3]
    Marc Davio, Yvo Desmedt, Marc Fosseprez, Rene Govaerts, Jan Hulsbosch, Patrik Neutjens, Philippe Piiet, Jean-Jacques Quisquater, Joos Vandewalle, and Pascal Wouters. Analytical characteristics of the DES. In Proceedings of Crypto’ 83, pages 171–202, August 1983.Google Scholar
  4. [4]
    Marc Davio, Yvo Desmedt, Jo Goubert, Frank Hoornaert, and Jean-Jacques Quisquater. Efficient hardware and software implementations for the DES. In Proceedings of Crypto’ 84, pages 144–146, August 1984.Google Scholar
  5. [5]
    W. Diffie and M. E. Hellman. Exhaustive cryptanalysis of the NBS data encryption standard. Computer, 10(6):74–84, June 1977.CrossRefGoogle Scholar
  6. [6]
    Alan G. Konheim. Cryptography: A Primer. John Wiley & Sons, 1981.Google Scholar
  7. [7]
    T. Matsumoto, K. Kato, and H. Imai. Speeding up secret computations with insecure auxiliary devices. In Proceedings of Crypto’ 88, August 1988.Google Scholar
  8. [8]
    Donald Mitchell. AT&T Questor (crypt) source code.Google Scholar
  9. [9]
    Robert Morris and Ken Thompson. Password security: A case history. Communications of the ACM, 22(11):594–597, November 1979.CrossRefGoogle Scholar
  10. [10]
    Charles P. Pfleeger. Security in Computing. Prentice Hall, 1989.Google Scholar
  11. [11]
    Claude Shannon. Prediction and entropy of printed english. Bell System Technical Journal, 30(1):50–64, January 1951.Google Scholar
  12. [12]
    Eugene H. Spafford. The internet worm program: An analysis. Computer Communication Review, 19(1):17–57, January 1989.CrossRefGoogle Scholar
  13. [13]
    J.G. Steiner, C. Neuman, and J.I. Schiller. Kerberos: An authentication service for open network systems. In USENIX Conference Proceedings, pages 191–202, Dallas, Texas, February 1988.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1990

Authors and Affiliations

  • David C. Feldmeier
    • 1
  • Philip R. Karn
    • 1
  1. 1.BellcoreMorristown

Personalised recommendations