Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'don't bother; it's easy to crack your password no matter how long it is' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
don't bother; it's easy to crack your password no matter how long it is
Authored by: derrickbass on Dec 07, '04 08:21:17PM

It is an exaggeration to say that Mac OS X password security is a complete joke and even if it were, it is highly irresponsible to recommend that people not bother with password security.

It is true that Mac OS X unfortunately stores the Samba hash of your password, even if you don't actually use Samba or allow login from windows. Microsoft was stupid (what else is new) and made it so that you can break the hash in 7-character stages, rather than having to do it all at once, changing an exponential problem into a linear one.

HOWEVER, in order to access the hash, you need root access to the machine (or equivalently, physical access). (And, as has already been pointed out, the same goes for the trick of grabbing the password from the VM swap file.) This significantly narrows the scope of the vulnerability.

Now these are certainly problems, and Apple should fix them. (Why? A hacker with root or physical access can access all of your files, which is bad, but with your password they can do worse. Without the password, they cannot decrypt your keychain (which may contain passwords to financial sites or e-commerce sites that store your credit card number). Also, since many people use the same password for various accounts, once they have one password, they likely have them all. Finally, if you don't detect the break-in, then they can continue to access your system, even if the original security flaw that allowed access is repaired.)

A good password is still important. First, it helps keep people who don't have physical access from breaking in. Second, even if someone tries to break your samba hash, it will take them longer if you have a stronger password (but a longer password won't help much).



[ Reply to This | # ]
don't bother; it's easy to crack your password no matter how long it is
Authored by: sjk on Dec 07, '04 09:21:23PM

Nice followup, Derrick.



[ Reply to This | # ]