Path: utzoo!attcan!uunet!zaphod.mps.ohio-state.edu!sdd.hp.com!ucsd!ucbvax!bloom-beacon!athena.mit.edu!jik From: jik@athena.mit.edu (Jonathan I. Kamens) Newsgroups: comp.unix.misc Subject: Re: how are password encryped? Message-ID: <1990Nov5.195354.17692@athena.mit.edu> Date: 5 Nov 90 19:53:54 GMT References: <1990Nov5.185707.18709@nntp-server.caltech.edu> Sender: daemon@athena.mit.edu (Mr Background) Reply-To: jik@athena.mit.edu (Jonathan I. Kamens) Organization: Massachusetts Institute of Technology Lines: 47 In article <1990Nov5.185707.18709@nntp-server.caltech.edu>, gwoho@nntp-server.caltech.edu (g liu) writes: |> i cant figure out how passwords are encrypted. it does not even seem |> very deterministic: i can look in the password file, change my password, |> change it back, and look again, and it changes. how are they encrypted, |> and how can it even work if the same password encryptes differently |> 2 differnt times? I suggest you read the man page for "crypt" in section 3 of the manual. It addresses the "nondeterminism" you mention. In particular, the algorithm used to encrypt passwords take the initial password string and a two-character "salt" which can have any one of 4096 different possible values. To quote the man page, "The salt string is used to perturb the DES algorithm in one of 4096 different ways, after which the password is used as the key to encrypt repeatedly a constant string." When you change your password, the passwd(1) program semi-randomly chooses a salt to use with the newly encrypted entry in the passwd file. Therefore, if you change your password and then change it again to the same thing, the odds are that the encrypted string will end up different the second time because a different salt will be chosen. The purpose of the salt is to deter dictionary attacks against the passwd file. If there were no salt, then any particular word used as a password would always encrypt in the same way, so an attacker could encrypt all of the words in a dictionary and store them in a password dictionary, and then do fast string comparisons of the encrypted strings in his dictionary to the encrypted strings in the passwd file. However, because of the salts, the attacker either has to (a) encrypt all of the words in his dictionary using each of the 4096 salts, or (b) do the encryption of the entire dictionary on the fly as he tries to crack each password, based on the salt for that particular password. There was a time when the added protection of the salt made it "effectively impossible," or at least very improbable, to do a dictionary attack against a well-chosen password. However, in this age of mega-fast CPU's and mega-large disks, it isn't really enough anymore. ("Mega-fast" and "mega-large" are, of course, very specific terms with very technical meanings upon which I won't elaborate here :-). -- Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8085 Home: 617-782-0710