60-second timeout in Unix login

rjd at occrsh.ATT.COM rjd at occrsh.ATT.COM
Thu Feb 18 01:48:00 AEST 1988


>Nah, I just change it to what it was before.  That's much easier to remember,
>and since Unix encrypts it differently each time, the administrators have
>no way of knowing that I'm doing it.

  Ah, but there is a way of knowing without storing un-encrypted passwords
around.  Since the "seed" used for the permutation algorithm is the first
two characters of the encrypted password, all you need to do is encrypt
your new password using the seed of each of the old ones, and then compare
the encryption to the encrypted password whose seed you are using.  The
passwd() command uses some mumbo-jumbo on the system clock to generate a
pseudo-random seed each time you set or change your password.
  For that matter, though it would be in bad faith of the administrator, it
is a simple thing to change the one program (or more?) to record the password
un-encrypted somewhere....  All that you need is to modify source to passwd().

Randy



More information about the Comp.unix.wizards mailing list