>> So what we're left with is replacing crypt() with something decently >> strong. How about triple DES? Somewhat better. >> [This] also would not change the length of the passwords on file or >> the basic authentication mechanism. True. > My take on this is that encryption is NOT the way to go. This would > mean that there exists a key that could decrypt the entire password > file. On this count triple DES is no better than regular DES. You seem to misunderstand the current scheme. The scheme is _not_ simply hash = DES crypt of typed password with some key. Rather, it is more like hash = DES crypt of constant with typed password as key[%]. Using triple DES here would help because (a) it's harder to crack in the sense of recovering the key from a (plain,cipher) pair and (b) the keys are three times as wide (only twice in some variants), which means less information loss when converting a typed password to a key. [%] Even this is not quite accurate. The crypt is not DES but rather a slightly perturbed DES, and it's iterated many times. It's also non-exportable, same as the current scheme, which IMO removes it completely from serious consideration. > From my understanding the MD5 would work well. It does work well. One of the patches in my set of patches is one to make libcrypt use an MD5-based algorithm for password hashing. It's currently relative to 1.0; once I get "my" machine converted to -current, I'll port the patches to that and send-pr the result. (Results, actually, since the patches I have affect more than just libcrypt.) der Mouse mouse@collatz.mcrcim.mcgill.edu