Home page logo

bugtraq logo Bugtraq mailing list archives

Re: passwd hashing algorithm
From: LTABER () pimacc pima edu (Louis Taber)
Date: 13 Apr 1995 11:46:22 -0700

* David Faron Stagner (stagda () sys1 ic ncs com) writes

I'm with der Mouse on this... the current state of crypt() and
password hashing in unix is inexcusable.  
..... stuff removed

So what we're left with is replacing crypt() with something decently
strong.  How about triple DES?  At this point in the game, triple DES
seems as strong as anything available, and certainly far stronger than
the existing scheme.  It also would not change the length of the
passwords on file or the basic authentication mechanism.  Of course,
this still doesn't solve the problem of weak passwords (which is still
a basic attack mechanism for crack), but it would make
minimum-password schemes much more effective, and increase the value
of good passwords substantially.  

Someone tell me if I'm completely off-base here.
* David Faron Stagner
* National Computer Systems           david_stagner () ic ncs com
* 2510 N Dodge St                     vox 319 354 9200 ext 6884
* Iowa City, IA 52244                 fax 319 339 6555

My take on this is that encryption is NOT the way to go.   This would 
mean that there exists a key that could decrypt the entire password file.
On this count triple DES is no better than regular DES.  From my 
understanding the MD5 would work well.  It is non-reversible.

Louis Taber                                                   ltaber () pima edu
Pima Community College, Computer Science, 2202 W. Anklam Rd, Tucson, AZ 85709
(520) 884-6039 Secretary / (520) 884-6850 Office direct

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]