I think you're off base. :) The weakness involves the speed with which you can des data. Doing to 3des means you (roughly) triple the attack time, which means that in about 2 years, we'll be back where we are today. Remember that Crack doesn't really crack passwords, it just tries to send in lots of passwords, and see when the output matches. What you want is a strong authenticating function; something that the user can do to demonstrate identity (and possibly possession) to a server. I doubt that reusable passwords are up to the task, unless you're using some solid encryption client. If you're going to build a smart client, you might as well build in smart authentication. Adam | So what we're left with is replacing crypt() with something decently | strong. How about triple DES? At this point in the game, triple DES | seems as strong as anything available, and certainly far stronger than | the existing scheme. It also would not change the length of the | passwords on file or the basic authentication mechanism. Of course, | this still doesn't solve the problem of weak passwords (which is still | a basic attack mechanism for crack), but it would make | minimum-password schemes much more effective, and increase the value | of good passwords substantially. | | Someone tell me if I'm completely off-base here. -- "It is seldom that liberty of any kind is lost all at once." -Hume