[45] in linux-security and linux-alert archive
Re: Sh*dow Passwords?
daemon@ATHENA.MIT.EDU (Jeremy Fitzhardinge)
Tue Mar 7 12:33:17 1995
From: jeremy@sour.sw.oz.au (Jeremy Fitzhardinge)
To: linux-security@tarsier.cv.nrao.edu
Date: Tue, 7 Mar 1995 22:33:09 +1000 (EST)
In-Reply-To: <199503070933.KAA25587@dutecai.et.tudelft.nl> from "R.E.Wolff@et.tudelft.nl" at Mar 7, 95 10:33:30 am
Reply-To: linux-security@tarsier.cv.nrao.edu
R.E.Wolff@et.tudelft.nl:
> Talking about serious weaknesses in the shadow package:
>
> [description of problems with "long passwords"]
Yes, I've been concerned about this myself. The problem with the
shadow password suite's approach is that it fails to mix around
the user's input to distribute it evenly between the 2 crypted
halves. Probably the best solution is to abandon the traditional
"crypt" algorithm altogether, and use something like an MD5 hash.
This would allow effectively unlimited password length and be
slightly harder to get a cracker for (but only slightly).This would
break everything wanting to do their own authentication, but that's
OK if you have to modify them to use a shadow passwd file anyway.
J
