>I realize that the primary method of crack is guessing weak passwords, >but it also attempts to decrypt. And given the weakness of Are you sure that crack does that? I haven't looked at any new versions for awhile, but there was no cracking software in it before. The time it would take even for the watered down DES variant used for UNIX passwords is beyond the available resources of most sites. >single-DES, it isn't that hard. So anything that improves >cryptographic strength is good. Also, it reduces the harm caused by >weak passwords, and adds value to strong passwords. It doesn't if the scheme is built into the system, and it would have to be since there's so much on systems that want to verify your password. Then you're back to the same problem as before. If they can get a copy of your encrypted password they can do a dictionary attack. Triple DES would slow them down, but that's about it. Of course cracking passwords is a possible attack only if you're incredibly stupid in how you administer your site. The real problem these days is that the passwords go through many sites in the clear. > >I also realize that the ideal solution would be to eliminate fixed >passwords and replace them with some sort of double-blind, >smart-client scheme. But it won't work, not as long as we're >dependent on existing clients like telnet and ftp working. I'd say There's already a lot of telnet clients and servers now that are negotiating secure authentication, and there'll be more all the time. The day will come soon that people will tell their telnetd not to talk to any clients that can't do secure authentication. That solution's here today, written in the RFCs and available freely on the net. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/