Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!brl-smoke!gwyn
From: gwyn@brl-smoke.ARPA (Doug Gwyn )
Newsgroups: comp.unix.wizards
Subject: Re: 60-second timeout in Unix login
Message-ID: <7326@brl-smoke.ARPA>
Date: 23 Feb 88 22:03:56 GMT
References: <10578@brl-adm.ARPA> <721X@jimi.cs.unlv.edu> <465@xios.XIOS.UUCP> <18083@topaz.rutgers.edu> <7267@brl-smoke.ARPA> <259@aiva.ed.ac.uk>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 14

In article <259@aiva.ed.ac.uk> richard@uk.ac.ed.aiva (Richard Tobin) writes:
>Of course, comparing two encrypted passwords for equality is trickier,
>as the "salt" may be different.

That was my whole point.  With something like 4K salts, you would have to
keep a LOT of encrypted previous-password data around.

>BTW, does knowing two different encryptions of a password (ie encrypted
>with different salts) make decrypting easier?

In theory, yes, but in practice decryption of such short samples of DES-
encrypted data by analysis is generally considered too difficult.  Thus
the emphasis on "practical cyrptanalysis", such as is done by the program
that was posted to sci.crypt recently.