Re: OpenSSH Password Question

[Bennett Todd <bet () RAHUL NET>]

2000-12-10-08:20:39 Bluefish (P.Magnusson):
> As a minor comment, I've heard some people (not in this ml)
> complain about the fact that old fashion unix cuts passwords and
> think it would be a great idea to update the old crypt to support
> longer DES passwords.

On lots of platforms this has been done, incidentally also replacing
the old DES with a newer hash (various platforms use various newer
hashes) that can hash more bits. DES remains in use mostly just
where backward compat with existing crypted passwords remains
important, or where there's really wretched, loathesome sludge
sqooged all through the system where nothing short of a complete
nuke and rebuild, which will never be done, will stand a chance of
rooting it all out (NIS).

> Assume you use strong passwords with a-zA-Z0-9 and 8 characters long
> passwords. You get 36^8 possible different passwords, [...]

a-zA-Z0-9 is 62, no? So it'd be 62^8?

> which are hashed into a 2^40 bit DES hash.

Whoops, DES's input is 56 bits, but the output of the hash is 64. 40
bits only shows up when someone deliberately cripples DES, typically
by wiring some of the key bits to something they know. Whenever I
hear about people doing that sort of thing, I get this image of
Woody Allen as Jimmy Bond in Casino Royale.

> But 36^8 / 2^40 = 2.6, meaning that each checksum have multiple
> matches.

Since the question was passwords _longer_ than 8 characters, you can
still make this sort of math work out; say instead that
62^10 / 2^56 ~= 11.65.

> The hash is no longer able to improve security.

But _that's_ not true, not true at all. As long as people pick
passwords from small alphabets, and with strong digraph and trigraph
correlation --- as long as the typical chosen user password entropy
really isn't all that much better than the couple of bits/byte
of normal prose --- much longer passphrases continue to buy
important benefits, even if they are hashed into smaller spaces with
collisions.

> Thats why we use MD5 instead :)

Don't get me wrong. MD5 is a better choice. SHA-1 is likely better
still. But the possibly-improved cryptosystem, with the
definitely-improved number of bits, is very much secondary to the
ability to use longer passphrases; a DES trick that simply took the
extra text and xor-ed it in the second time through, or some such,
would be far, far stronger than the classic truncate-at-8, and would
retain backward (and partial forward) compatibility. I.e. passwords
8 chars or less would work identically. If anybody has got a setup
that has something like NIS wired inextricably into it, you might
want to give this a ponder.

Oh, and BTW, DES's keysize reflects the design practice of providing
eight bytes of key material, and discarding their parity bits, so if
users could pick 8-character passwords including all ASCII control
characters as well as all ASCII printables, from NUL through DEL
(0x7F), they'd exactly cover the DES keyspace.

-Bennett

Attachment: _bin
Description: