home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!zaphod.mps.ohio-state.edu!cs.utexas.edu!uwm.edu!psuvax1!rutgers!dziuxsolim.rutgers.edu!zodiac.rutgers.edu!leichter
- From: leichter@zodiac.rutgers.edu
- Newsgroups: alt.security
- Subject: Re: passwd security check
- Message-ID: <1992Jul23.092715.1@zodiac.rutgers.edu>
- Date: 23 Jul 92 13:27:15 GMT
- References: <1992Jul22.190827.30077@iitmax.iit.edu> <1992Jul22.221222.6185@Princeton.EDU>
- Sender: news@dziuxsolim.rutgers.edu
- Organization: Rutgers University Computing Services
- Lines: 20
- Nntp-Posting-Host: cancer.rutgers.edu
-
- The odds are very much against it, but "same password with the same salt"
- will happen sometimes. At Yale a number of years back, it happened - in the
- worst possible way: Someone noticed that their salt and hashed password
- matched that of root!
-
- One thing it's important to remember is that there are many passwords that
- hash to the same value. Even if you and I have the same salt and the same
- hash value, it doesn't mean we chose the same password - though it DOES mean
- that either of our passwords will work on either account.
-
- In hashing passwords, VMS uses both a random salt (16 bits worth) AND the
- UIC (user/group number, 32 bits) as part of the hash. The components
- protect different things: The random salt is unpredictable for any given
- user, so makes dictionary attacks harder. The UIC is predictable - the UIC
- for the SYSTEM account is always [1,4], for example - but it means that no
- two different users ever have "comparable" hashed passwords, even if they end
- up with the same salt. (Since protection is based on the UIC, different
- accounts with the same UIC already have complete access to each other.)
-
- -- Jerry
-
