Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!samsung!xylogics!bu.edu!purdue!ccncsu!ives.cs.colostate.edu!clarke From: clarke@ives.cs.colostate.edu (Charles Clarke) Newsgroups: comp.unix.misc Subject: Re: how are password encryped? Keywords: crypt() Message-ID: <11206@ccncsu.ColoState.EDU> Date: 13 Nov 90 20:48:48 GMT References: <11101@ccncsu.ColoState.EDU> <1990Nov12.005944.22034@athena.mit.edu> Sender: news@ccncsu.ColoState.EDU Distribution: na Organization: Colorado State Computer Science Department Lines: 37 Thanks to Jonathan for pointing out a possible mistake in my posting. The man page for crypt(3) differs from how I remember the routine, but as it has been several years, and due to system problems, I am unable to look at it currently,... Have to watch out for the old memory :-) However, Jonathan, something to add to the *something* you know about cryptography: a "key" does not have to be private. Public key cryptography has been around for a while. What you have is a public key for encryption and a private key for decryption. I believe the most famous is the one where you start with two large prime numbers and do some crunching to get the keys. (I won't put down what I remember about it because my memory might be failing :-) In an application like passwords where all you need is authentication and not decryption, with public key encryption, either the key or the plaintext can be the "private" information. To support your view, I believe DES is a conventional(not public key) encryption system in which case, with one piece of "private" information, it would have to be the key. BTW, usage in a man page does not qualify as a method for determination of "proper" usage. Though reading the man page suggests the salt as a key in an encryption process of the hashing algorithm. Anyway, the point that was originally meant still stands(as supported in another post by Jonathan: Knowing the encryption process and the encrypted password does not help much to determine the user's password. Yes, it can be done, but it is computationally expensive and almost infeasible with today's machines. Knowing additional information like how long it is and whether or not it has special symbols in it brings it down to doable today(I have seen it done. Before you ask, it was a case of a forgotten root password, not "cracking" someone else's). Enjoy! charles