Secure Design
NetWare password security Products Order Contact Us Back

The following is an excerpt from an internet newsgroup discussion, Oct 16, 1995 on the topic of password security on NetWare servers.

The Question that is often asked:

Does anybody know about some kind of program that can read a user's password from the NetWare bindery? Is the bindery secure?

And Stephen Herzog, of Secure Design replies:

No, you can not just open the bindery and see a user's password.

Yes, passwords can be obtained, however it is not something trivial.

  • You must get a copy of the encrypted password from either the bindery, or capturing a login packet sequence.
  • You then have to use a guess and check method of determining the password. i.e., take the first word from your dictionary, encrypt it, check the result against the encrypted password, if it matches, the word you encrypted was the password. If it doesn't match, get the next word from the dictionary and try again.

Read the Theory of Operation chapter of the Password Inspector manual for information on how NetWare password encryption works.

[Some companies boast of password checkers to help protect your server with 18 databases with over 1 million words. Is this good or fluff?]

Lets talk about dictionary sizes. First off, the bindery provides you with the number of characters in the original password. How nice. If you pre-sort your dictionary by the length of the words, you can avoid checking all but the words of the same length of the password.

I assume that a "set of 18 databases with 1 million words" is 18 files, each with a set of words of a specific length. Each password in the bindery would be checked with approximately 60 thousand words then, correct? It would be a waste of time to check all 1 million words, since you can eliminate the ones that are the wrong length.

And what of large dictionaries. Is bigger always better? Yes and No. If you were trying to break the supervisor password on a specific file server, and you happen to know that they use a password checking program such as Password Sentry, our Password Inspector, or SmartPass, you could purchase a copy, extract the words from the dictionary, and you now have a list of 1 million words you don't need to check.

So in short, a dictionary with 5 words is pretty useless... So is one that contains every possible combination of letters and numbers for each length of password. (what should the user use for a password if *all* the word-letter combinations are already in a dictionary.) I won't make any judgements as to what the best word count is for a dictionary (the sysop should do that) but don't assume bigger is always better.

If you want passwords that are harder to guess, increase your minimum password length. 4 and 5 letter passwords can be broken by testing every possible set of letters and words pretty quickly. Explain to your users why secure passwords are important, and ask/force them to use long passwords with letters and numbers.

But be careful; long-hard-to-remember passwords tend to get written down. There is nothing worse than someone finding a business card with your account name and password on the back.

More information on Password Inspector is available on Secure Design's web site.

Complete discussions on NetWare password security can be found at http://netlab1.usu.edu/novell.faq/securty1.doc

Secure Design
support@sdesign.com
Copyright © 1997 Secure Design, All rights reserved.