Improving password security

Wilson Heydt whh at pbhya.PacBell.COM
Sat Nov 19 13:12:57 AEST 1988


I've been reading the discussions of how to tighten security in the
light of recent events.  In particular, the remarks about weaknesses
in the existing password encryption algorithms.

I am puzzled about an omission in the solutions suggested.

As I recall from the supplementary Unix manuals--specifically the
two articles on passowrd security--it is noted that the standard
Unix schemeuses the passowrd as the encryption key on a standard
plaintext.  Would it not be a great help in stopping brute-force
attacks to make the plain-text configurable by binary-licnese sites?
Then the attacker would have to either break to the plain text for
each site--difficult enough in itself, restrict itself to some 
subset of the possible plaintexts, or generate an implausibly large
dictionary.

Am I off base?  Merely out of date?  Or has this been (or is this
being) done?

      --Hal

=========================================================================
  Hal Heydt                             |    "Hafnium plus Holmium is
  Analyst, Pacific*Bell                 |     one-point-five, I think."
  415-645-7708                          |       --Dr. Jane Robinson
  {att,bellcore,sun,ames,pyramid}!pacbell!pbhya!whh   



More information about the Comp.unix.wizards mailing list