On Fri, May 25, 2001 at 08:07:20AM -0500, Florin Iucha wrote:
> > Discovering the existing password is far, far worse.  Not only is it not
> > obvious to the box's legitimate owner, they may have used the same password
> > on other systems, which you now have access to also.  Fortunately, it's not
> > too difficult to make this effectively impossible these days.
> 
> Worse, but doable.

I was wondering whether you would say that...

I just created a dummy user with an old root password from one of
my boxes; I'll give you the /etc/passwd and /etc/shadow entries.
If cracking it is "doable", I'll be very interested to have you tell me
what the password is.  If you can convince seti at home or distributed.net
to help you, I figure your odds are pretty good.  Or maybe someone will
announce a technique tomorrow for quickly factoring very large numbers,
making most of modern crypto obsolete.  Otherwise, I expect it to take
a long, long time.  Long enough to qualify as "effectively impossible",
just like I said earlier.

Anyhow, here you go:

nonroot:x:1000:1000:Old root password,,,:/home/nonroot:/bin/bash
nonroot:$1$saU95BKR$Q9M1KZCIxqopXTp4D/O.q1:11467:0:99999:7:::

Have fun.

(Note:  I originally just sent this to Florin and have since explained
that I didn't mean to be hard on him, but this seemed like the best
way to illustrate that, while it may be theoritically and technically
possible to crack a strong password under strong crypto, it's a practical
impossibility.)

-- 
That's not gibberish...  It's Linux. - Byers, The Lone Gunmen
Geek Code 3.12:  GCS d? s+: a C++ UL++++$ P++>+++ L+++>++++ E- W--(++) N+
o+ !K w--- O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv+ b+ DI++++ D G e* h r y+