[1503] in bugtraq
Re: passwd hashing algorithm
daemon@ATHENA.MIT.EDU (Robert M. Haas)
Sun Apr 16 07:42:31 1995
To: perry@imsi.com
Cc: Rick Busdiecker <rfb@lehman.com>, Adam Shostack <adam@bwh.harvard.edu>,
Full Disclosure <bugtraq@fc.net>
In-Reply-To: Your message of "Fri, 14 Apr 1995 20:21:28 EDT."
<9504150021.AA09102@snark.imsi.com>
Date: Sat, 15 Apr 1995 23:56:32 -0700
From: "Robert M. Haas" <rhaas@cygnus.arc.nasa.gov>
> The point is, however, that DES isn't used in crypt(3) as a cipher but
> as a weird hash function over an eight byte value, the password, and
Strengthening the password encryption algorithm strikes me as putting a
tighter lock on the door when the window is standing wide open... if
someone really wants to break into your machine, they can put a sniffer
on your network, and it won't matter how good your encryption algorithm
is. Admittedly it's a little harder to get a sniffer running on a
network than crack, but even so, reusable passwords are doomed...
...Robert
