On Fri, May 25, 2001 at 08:07:20AM -0500, Florin Iucha wrote: > > Discovering the existing password is far, far worse. Not only is it not > > obvious to the box's legitimate owner, they may have used the same password > > on other systems, which you now have access to also. Fortunately, it's not > > too difficult to make this effectively impossible these days. > > Worse, but doable. I was wondering whether you would say that... I just created a dummy user with an old root password from one of my boxes; I'll give you the /etc/passwd and /etc/shadow entries. If cracking it is "doable", I'll be very interested to have you tell me what the password is. If you can convince seti at home or distributed.net to help you, I figure your odds are pretty good. Or maybe someone will announce a technique tomorrow for quickly factoring very large numbers, making most of modern crypto obsolete. Otherwise, I expect it to take a long, long time. Long enough to qualify as "effectively impossible", just like I said earlier. Anyhow, here you go: nonroot:x:1000:1000:Old root password,,,:/home/nonroot:/bin/bash nonroot:$1$saU95BKR$Q9M1KZCIxqopXTp4D/O.q1:11467:0:99999:7::: Have fun. (Note: I originally just sent this to Florin and have since explained that I didn't mean to be hard on him, but this seemed like the best way to illustrate that, while it may be theoritically and technically possible to crack a strong password under strong crypto, it's a practical impossibility.) -- That's not gibberish... It's Linux. - Byers, The Lone Gunmen Geek Code 3.12: GCS d? s+: a C++ UL++++$ P++>+++ L+++>++++ E- W--(++) N+ o+ !K w--- O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv+ b+ DI++++ D G e* h r y+