How to stop future viruses.
Doug Gwyn
gwyn at smoke.BRL.MIL
Fri Nov 18 14:14:26 AEST 1988
In article <17575 at adm.BRL.MIL> rbj at nav.icst.nbs.gov (Root Boy Jim) writes:
>A better thing to do would be encrypt the password as usual, *and then
>select a random salt* to replace the salt it was encrypted with. That
>way, naive people can crack away to no avail.
No, that's not right since it doesn't block the "snarf /etc/passwd
and run trial passwords against it" approach. If you want to leave
encrypted passwords in /etc/passwd please make sure that (a) they
are encryptions of random gobbledook and (b) the verification
scheme never accepts a match against /etc/passwd as validating a
user under any circumstances. (The scheme Mumaugh described did.)
More information about the Comp.unix.wizards
mailing list