Re: passwd hashing algorithm

John F. Haugh II (jfh@rpp386.cactus.org)
Sun, 16 Apr 95 10:31:40 CDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Baba Z Buehler: "Re: HTTPD bug"
Previous message: smb@research.att.com: "Re: passwd hashing algorithm"
In reply to: maquis: "Re: passwd hashing algorithm"

> Agreed. Personally, I am wondering when Unix will get overhauled so that 
> these recurring holes (sendmail, crypt<>, etc) will be brought to a 
> higher level of perfection. Regarding crypt() I would think a one-way 
> mechanism is the answer, versus having keys that are left around the system.

crypt() is a one-way function already.  The only known attacks against
the UNIX password file are brute force and password guessing.  There is
no "decryption key".

The problems with UNIX encrypted passwords are their length (too short),
their construction (no standard utilities for enforcing "good" passwords)
and the visibility of the encrypted password on many systems (include in
that notion things like Classic-NIS).  Those three problems are fixed in
various products, freeware and commercial, they just haven't been adopted
by all of the vendors so far.
-- 
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh@rpp386.cactus.org

Next message: Baba Z Buehler: "Re: HTTPD bug"
Previous message: smb@research.att.com: "Re: passwd hashing algorithm"
In reply to: maquis: "Re: passwd hashing algorithm"