Rick Busdiecker says: > From: Adam Shostack <adam@bwh.harvard.edu> > Date: Thu, 13 Apr 1995 13:23:03 -0400 (EDT) > > Doing to 3des means you (roughly) triple the attack time, which > means that in about 2 years, we'll be back where we are today. > > This does not fit with my understanding of 3DES. I thought that 3DES > effectively tripled the key size, i. e. you have to derive three DES > keys simultaneously in order to crack. The point is, however, that DES isn't used in crypt(3) as a cipher but as a weird hash function over an eight byte value, the password, and you aren't increasing this password's size so you aren't really improving the situation. Changing things so that the password could be much longer would actually help, however. A salted MD5 or SHA of a much longer passphrase space WOULD be more secure because brute force searches would actually be harder. Perry