[1512] in bugtraq
Re: passwd hashing algorithm
daemon@ATHENA.MIT.EDU (John F. Haugh II)
Mon Apr 17 12:31:25 1995
From: jfh@rpp386.cactus.org (John F. Haugh II)
To: maquis@netcom.com (maquis)
Date: Sun, 16 Apr 95 10:31:40 CDT
Cc: LTABER@pimacc.pima.edu, stagda@sys1.ic.ncs.com, bugtraq@fc.net
In-Reply-To: <Pine.3.89.9504140751.A29977-0100000@netcom11>; from "maquis" at Apr 14, 95 7:18 am
> Agreed. Personally, I am wondering when Unix will get overhauled so that
> these recurring holes (sendmail, crypt<>, etc) will be brought to a
> higher level of perfection. Regarding crypt() I would think a one-way
> mechanism is the answer, versus having keys that are left around the system.
crypt() is a one-way function already. The only known attacks against
the UNIX password file are brute force and password guessing. There is
no "decryption key".
The problems with UNIX encrypted passwords are their length (too short),
their construction (no standard utilities for enforcing "good" passwords)
and the visibility of the encrypted password on many systems (include in
that notion things like Classic-NIS). Those three problems are fixed in
various products, freeware and commercial, they just haven't been adopted
by all of the vendors so far.
--
John F. Haugh II [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ] @'s: jfh@rpp386.cactus.org
