Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!amdcad!ames!hao!oddjob!gargoyle!ihnp4!occrsh!occrsh.ATT.COM!rjd
From: rjd@occrsh.ATT.COM
Newsgroups: comp.unix.wizards
Subject: Re: 60-second timeout in Unix login
Message-ID: <142700024@occrsh.ATT.COM>
Date: 17 Feb 88 15:48:00 GMT
References: <465@xios.XIOS.UUCP>
Lines: 17
Nf-ID: #R:xios.XIOS.UUCP:-46500:occrsh.ATT.COM:142700024:000:936
Nf-From: occrsh.ATT.COM!rjd    Feb 17 09:48:00 1988


>Nah, I just change it to what it was before.  That's much easier to remember,
>and since Unix encrypts it differently each time, the administrators have
>no way of knowing that I'm doing it.

  Ah, but there is a way of knowing without storing un-encrypted passwords
around.  Since the "seed" used for the permutation algorithm is the first
two characters of the encrypted password, all you need to do is encrypt
your new password using the seed of each of the old ones, and then compare
the encryption to the encrypted password whose seed you are using.  The
passwd() command uses some mumbo-jumbo on the system clock to generate a
pseudo-random seed each time you set or change your password.
  For that matter, though it would be in bad faith of the administrator, it
is a simple thing to change the one program (or more?) to record the password
un-encrypted somewhere....  All that you need is to modify source to passwd().

Randy