Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!ub!boulder!ccncsu!ives.cs.colostate.edu!clarke
From: clarke@ives.cs.colostate.edu (Charles Clarke)
Newsgroups: comp.unix.misc
Subject: Re: how are password encryped?
Message-ID: <11101@ccncsu.ColoState.EDU>
Date: 11 Nov 90 03:03:39 GMT
References: <13507@crdgw1.crd.ge.com> <1990Nov9.095039.20561@newcastle.ac.uk> <FWP1.90Nov9100147@tzu.CC.MsState.Edu>
Sender: news@ccncsu.ColoState.EDU
Distribution: na
Organization: Colorado State Computer Science Department
Lines: 19

For the passwords, the 'key' is easily obtainable.  It is the salt
(first two letters of the encrypted password for those of you who missed that).

The password (unencrypted) is the plain text.  The program encrypts your
password using the key and a modified DES.  It then compares this with
what is stored for you in the passwd file.

As was pointed out, you do not care who knows the encryption algorithm
(in this case, you do not care who knows about the key either), the only
thing you need to worry about is someone knowing a decryption algorithm
or having the information of what can produce your encrypted password given
your salt.  Note that this may be several strings, not just your password.

Looking at the source for crypt(3) is a way to see what the modified DES
looks like, but expect to get a headache.

Happy hacking!

charles