Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: passwd hashing algorithm

From: jfh () rpp386 cactus org (John F. Haugh II)
Date: Sun, 16 Apr 95 10:31:40 CDT


Agreed. Personally, I am wondering when Unix will get overhauled so that 
these recurring holes (sendmail, crypt<>, etc) will be brought to a 
higher level of perfection. Regarding crypt() I would think a one-way 
mechanism is the answer, versus having keys that are left around the system.


crypt() is a one-way function already.  The only known attacks against
the UNIX password file are brute force and password guessing.  There is
no "decryption key".

The problems with UNIX encrypted passwords are their length (too short),
their construction (no standard utilities for enforcing "good" passwords)
and the visibility of the encrypted password on many systems (include in
that notion things like Classic-NIS).  Those three problems are fixed in
various products, freeware and commercial, they just haven't been adopted
by all of the vendors so far.
-- 
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh () rpp386 cactus org
Previous By Date Next
Previous By Thread Next

Current thread: