Hacking

David Safford auvsaff at auvc8.tamu.edu
Thu Mar 28 01:25:15 AEST 1991


In article <1991Mar27.094325.24599 at en.ecn.purdue.edu>,
kidder at en.ecn.purdue.edu 
(Mark Stephen Kidder) writes:

|>PS I learned earlier from another that UNIX does not use a DES
|>   encryption method for the password; however, a one-way method
|>   is used making decoding a password impossible.
|>

Well, sort of true.
To be precise, Unix password encryption is done with 25 repetitions
of a very slightly modified DES routine.  The 25 repetitions are done
to slow down hacking attempts, such as with dictionary based programs.
This repetition makes a single dictionary pass take minutes, rather
than seconds, which does help.  The modification to DES is rather
minor - the DES E (expansion) table is scrambled in one of 4096 ways,
based on a random 2 character salt.  The rationale for this minor
modification was to prevent use of DES hardware for password attacks.
The bottom line is that crypt differs from DES only slightly, but
enough to slow down hacking a bit.



More information about the Comp.unix.wizards mailing list