How to stop future viruses.

Root Boy Jim rbj at nav.icst.nbs.gov
Wed Nov 23 03:08:52 AEST 1988


>From Doug Gwyn

? In article <17575 at adm.BRL.MIL> rbj at nav.icst.nbs.gov (Root Boy Jim) writes:
? >A better thing to do would be encrypt the password as usual, *and then
? >select a random salt* to replace the salt it was encrypted with. That
? >way, naive people can crack away to no avail.

? No, that's not right since it doesn't block the "snarf /etc/passwd
? and run trial passwords against it" approach.  If you want to leave
? encrypted passwords in /etc/passwd please make sure that (a) they
? are encryptions of random gobbledook and (b) the verification
? scheme never accepts a match against /etc/passwd as validating a
? user under any circumstances.  (The scheme Mumaugh described did.)

My suggesting the resalting technique was an attempt to disguise the
encryption. As it turns out, since the encryption algorithm is
completely dense, I have unwittingly provided a target.  I accept your
(a) (altho why bother to encrypt at all?), and never suggested (b). 

	(Root Boy) Jim Cottrell	(301) 975-5688
	<rbj at nav.icst.nbs.gov> or <rbj at icst-cmr.arpa>
	Crackers and Worms -- Breakfast of Champions!



More information about the Comp.unix.wizards mailing list