Re: passwd hashing algorithm
der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Fri, 14 Apr 1995 07:00:54 -0400
>> So what we're left with is replacing crypt() with something decently
>> strong. How about triple DES?
Somewhat better.
>> [This] also would not change the length of the passwords on file or
>> the basic authentication mechanism.
True.
> My take on this is that encryption is NOT the way to go. This would
> mean that there exists a key that could decrypt the entire password
> file. On this count triple DES is no better than regular DES.
You seem to misunderstand the current scheme. The scheme is _not_
simply hash = DES crypt of typed password with some key. Rather, it is
more like hash = DES crypt of constant with typed password as key[%].
Using triple DES here would help because (a) it's harder to crack in
the sense of recovering the key from a (plain,cipher) pair and (b) the
keys are three times as wide (only twice in some variants), which means
less information loss when converting a typed password to a key.
[%] Even this is not quite accurate. The crypt is not DES but rather a
slightly perturbed DES, and it's iterated many times.
It's also non-exportable, same as the current scheme, which IMO removes
it completely from serious consideration.
> From my understanding the MD5 would work well.
It does work well. One of the patches in my set of patches is one to
make libcrypt use an MD5-based algorithm for password hashing. It's
currently relative to 1.0; once I get "my" machine converted to
-current, I'll port the patches to that and send-pr the result.
(Results, actually, since the patches I have affect more than just
libcrypt.)
der Mouse
mouse@collatz.mcrcim.mcgill.edu