mailing list archives
Re: passwd hashing algorithm
From: LTABER () pimacc pima edu (Louis Taber)
Date: 13 Apr 1995 11:46:22 -0700
* David Faron Stagner (stagda () sys1 ic ncs com) writes
I'm with der Mouse on this... the current state of crypt() and
password hashing in unix is inexcusable.
..... stuff removed
So what we're left with is replacing crypt() with something decently
strong. How about triple DES? At this point in the game, triple DES
seems as strong as anything available, and certainly far stronger than
the existing scheme. It also would not change the length of the
passwords on file or the basic authentication mechanism. Of course,
this still doesn't solve the problem of weak passwords (which is still
a basic attack mechanism for crack), but it would make
minimum-password schemes much more effective, and increase the value
of good passwords substantially.
Someone tell me if I'm completely off-base here.
* David Faron Stagner
* National Computer Systems david_stagner () ic ncs com
* 2510 N Dodge St vox 319 354 9200 ext 6884
* Iowa City, IA 52244 fax 319 339 6555
My take on this is that encryption is NOT the way to go. This would
mean that there exists a key that could decrypt the entire password file.
On this count triple DES is no better than regular DES. From my
understanding the MD5 would work well. It is non-reversible.
Louis Taber ltaber () pima edu
Pima Community College, Computer Science, 2202 W. Anklam Rd, Tucson, AZ 85709
(520) 884-6039 Secretary / (520) 884-6850 Office direct