Xref: utzoo rec.games.mud:2677 alt.security:2023 comp.unix.wizards:24558
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!helios!auvc8!auvsaff
From: auvsaff@auvc8.tamu.edu (David Safford)
Newsgroups: rec.games.mud,alt.security,comp.unix.wizards
Subject: Re: Hacking
Keywords: WARNING!
Message-ID: <13824@helios.TAMU.EDU>
Date: 27 Mar 91 15:25:15 GMT
References: <1991Mar26.015635.23103@mintaka.lcs.mit.edu> <1991Mar26.163720.28379@en.ecn.purdue.edu> <1991Mar27.041126.9886@news.miami.edu> <1991Mar27.094325.24599@en.ecn.purdue.edu>
Sender: usenet@helios.TAMU.EDU
Reply-To: auvsaff@auvc8.tamu.edu (David Safford)
Followup-To: rec.games.mud
Lines: 20

In article <1991Mar27.094325.24599@en.ecn.purdue.edu>,
kidder@en.ecn.purdue.edu 
(Mark Stephen Kidder) writes:

|>PS I learned earlier from another that UNIX does not use a DES
|>   encryption method for the password; however, a one-way method
|>   is used making decoding a password impossible.
|>

Well, sort of true.
To be precise, Unix password encryption is done with 25 repetitions
of a very slightly modified DES routine.  The 25 repetitions are done
to slow down hacking attempts, such as with dictionary based programs.
This repetition makes a single dictionary pass take minutes, rather
than seconds, which does help.  The modification to DES is rather
minor - the DES E (expansion) table is scrambled in one of 4096 ways,
based on a random 2 character salt.  The rationale for this minor
modification was to prevent use of DES hardware for password attacks.
The bottom line is that crypt differs from DES only slightly, but
enough to slow down hacking a bit.