Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!uwm.edu!linac!att!bu.edu!transfer!lectroid!ellisun!cme
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Newsgroups: comp.unix.sysv386
Subject: Re: New Login: need crypt
Message-ID: <4802@lectroid.sw.stratus.com>
Date: 3 Apr 91 21:36:02 GMT
References: <1991Mar27.082707.17385@logixwi.uucp> <bigpryct@dce.ie>
Sender: usenet@lectroid.sw.stratus.com
Organization: Stratus Computer, Inc.
Lines: 11

In article <bigpryct@dce.ie> em@dce.ie (Eamonn McManus) writes:
>There is an undocumented routine called bigcrypt() which is called in
>essentially the same way as crypt().  It produces the same result as
>crypt() for short passwords (<= 8 plaintext characters); for longer
>passwords it apparently crypts each block of eight characters separately
>and concatenates the results.

If I understand this correctly, bigcrypt() will let you know, through the
number of output blocks, truncate(password_length / 8).

Needless to say, that's a security flaw.