Abstract
Passwords in the UNIX operating system are encrypted with the crypt algorithm and kept in the publicly-readable file /etc/passwd. This paper examines the vulnerability of UNIX to attacks on its password system. Over the past 10 years, improvements in hardware and software have increased the crypts/second/dollar ratio by five orders of magnitude. We reexamine the UNIX password system in light of these advances and point out possible solutions to the problem of easily found passwords. The paper discusses how the authors built some high-speed tools for password cracking and what elements were necessary for their success. These elements are examined to determine if any of them can be removed from the hands of a possible system infiltrator, and thus increase the security of the system. We conclude that the single most important step that can be taken to improve password security is to increase password entropy.
The title refers to the paper by Morris and Thompson printed in Communications of the ACM in 1979[9]
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Robert W. Baldwin. MIT fdes 5 (crypt) source code.
Matt Bishop. An application of a fast data encryption standard implementation. Computing Systems, 1(3):221–254, Summer 1988.
Marc Davio, Yvo Desmedt, Marc Fosseprez, Rene Govaerts, Jan Hulsbosch, Patrik Neutjens, Philippe Piiet, Jean-Jacques Quisquater, Joos Vandewalle, and Pascal Wouters. Analytical characteristics of the DES. In Proceedings of Crypto’ 83, pages 171–202, August 1983.
Marc Davio, Yvo Desmedt, Jo Goubert, Frank Hoornaert, and Jean-Jacques Quisquater. Efficient hardware and software implementations for the DES. In Proceedings of Crypto’ 84, pages 144–146, August 1984.
W. Diffie and M. E. Hellman. Exhaustive cryptanalysis of the NBS data encryption standard. Computer, 10(6):74–84, June 1977.
Alan G. Konheim. Cryptography: A Primer. John Wiley & Sons, 1981.
T. Matsumoto, K. Kato, and H. Imai. Speeding up secret computations with insecure auxiliary devices. In Proceedings of Crypto’ 88, August 1988.
Donald Mitchell. AT&T Questor (crypt) source code.
Robert Morris and Ken Thompson. Password security: A case history. Communications of the ACM, 22(11):594–597, November 1979.
Charles P. Pfleeger. Security in Computing. Prentice Hall, 1989.
Claude Shannon. Prediction and entropy of printed english. Bell System Technical Journal, 30(1):50–64, January 1951.
Eugene H. Spafford. The internet worm program: An analysis. Computer Communication Review, 19(1):17–57, January 1989.
J.G. Steiner, C. Neuman, and J.I. Schiller. Kerberos: An authentication service for open network systems. In USENIX Conference Proceedings, pages 191–202, Dallas, Texas, February 1988.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1990 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Feldmeier, D.C., Karn, P.R. (1990). UNIX Password Security - Ten Years Later. In: Brassard, G. (eds) Advances in Cryptology — CRYPTO’ 89 Proceedings. CRYPTO 1989. Lecture Notes in Computer Science, vol 435. Springer, New York, NY. https://doi.org/10.1007/0-387-34805-0_6
Download citation
DOI: https://doi.org/10.1007/0-387-34805-0_6
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-0-387-97317-3
Online ISBN: 978-0-387-34805-6
eBook Packages: Springer Book Archive