[1466] in bugtraq
Re: passwd hashing algorithm
daemon@ATHENA.MIT.EDU (Louis Taber)
Fri Apr 14 00:51:45 1995
Date: 13 Apr 1995 11:46:22 -0700
From: Louis Taber <LTABER@pimacc.pima.edu>
To: stagda@sys1.ic.ncs.com
Cc: bugtraq@fc.net
X-Vms-To: IN%"stagda@sys1.ic.ncs.com"
>* David Faron Stagner (stagda@sys1.ic.ncs.com) writes
>I'm with der Mouse on this... the current state of crypt() and
>password hashing in unix is inexcusable.
..... stuff removed
>
>So what we're left with is replacing crypt() with something decently
>strong. How about triple DES? At this point in the game, triple DES
>seems as strong as anything available, and certainly far stronger than
>the existing scheme. It also would not change the length of the
>passwords on file or the basic authentication mechanism. Of course,
>this still doesn't solve the problem of weak passwords (which is still
>a basic attack mechanism for crack), but it would make
>minimum-password schemes much more effective, and increase the value
>of good passwords substantially.
>
>Someone tell me if I'm completely off-base here.
>--
>* David Faron Stagner
>* National Computer Systems david_stagner@ic.ncs.com
>* 2510 N Dodge St vox 319 354 9200 ext 6884
>* Iowa City, IA 52244 fax 319 339 6555
My take on this is that encryption is NOT the way to go. This would
mean that there exists a key that could decrypt the entire password file.
On this count triple DES is no better than regular DES. From my
understanding the MD5 would work well. It is non-reversible.
Louis
Louis Taber ltaber@pima.edu
Pima Community College, Computer Science, 2202 W. Anklam Rd, Tucson, AZ 85709
(520) 884-6039 Secretary / (520) 884-6850 Office direct
