Lab 6 - Midterm Solutions and User Authentication

Midterm Solutions

The first half of the lab will go over the midterm solutions. Solution Key - The key is now complete.

User Authentication

Check if the machine you are using has a Debian install under the 'cs216' account. If not, download the Debian image from http://pegasus.cs.csubak.edu/~mdanfor/cs216/vm/vpc/welcome.html. The image from my website should have the password cracking utility 'john' installed. If using an image already on the machine, you may need to do 'apt-get install john'. Try the command 'john -test' to run a benchmark.

Next, add an account to the system with a pronouncable password of at least 8 chars long and an account with a more random password (mix of upper/lower, numbers and symbols 8 or more characters in length). Note that the 'student' account and root account both have a dictionary word based password to test the speed of cracking that type of password. Create a local copy of the password file with the command:

unshadow /etc/passwd /etc/shadow > passwd.1
Run john on this local file with 'john passwd.1'. Note how long it takes to crack each type of password. Depending on the time it takes, you may wish to generate a few more types of pronouncable and random passwords to test the time it takes to crack them.

Eugene Spafford recently wrote an article Security Myths and Passwords about the change in threats to user authentication over the years. Read his article and write a brief discussion of his main points. In particular, does he feel the primary threat these days is password cracking or something else?

Email me your writeup to my Helios account.