Home page logo

bugtraq logo Bugtraq mailing list archives

Re: passwd hashing algorithm
From: jfh () rpp386 cactus org (John F. Haugh II)
Date: Sun, 16 Apr 95 10:31:40 CDT

Agreed. Personally, I am wondering when Unix will get overhauled so that 
these recurring holes (sendmail, crypt<>, etc) will be brought to a 
higher level of perfection. Regarding crypt() I would think a one-way 
mechanism is the answer, versus having keys that are left around the system.

crypt() is a one-way function already.  The only known attacks against
the UNIX password file are brute force and password guessing.  There is
no "decryption key".

The problems with UNIX encrypted passwords are their length (too short),
their construction (no standard utilities for enforcing "good" passwords)
and the visibility of the encrypted password on many systems (include in
that notion things like Classic-NIS).  Those three problems are fixed in
various products, freeware and commercial, they just haven't been adopted
by all of the vendors so far.
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh () rpp386 cactus org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]