Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!ames!nrl-cmf!cmcl2!brl-adm!adm!rbj@icst-cmr.arpa From: rbj@icst-cmr.arpa (Root Boy Jim) Newsgroups: comp.unix.wizards Subject: 60-second timeout in Unix login Message-ID: <12035@brl-adm.ARPA> Date: 29 Feb 88 23:12:25 GMT Sender: news@brl-adm.ARPA Lines: 37 From: Doug Gwyn In article <259@aiva.ed.ac.uk> richard@uk.ac.ed.aiva (Richard Tobin) writes: >Of course, comparing two encrypted passwords for equality is trickier, >as the "salt" may be different. That was my whole point. With something like 4K salts, you would have to keep a LOT of encrypted previous-password data around. What Richard Tobin says is correct, but I don't think relevant. You don't have to keep *all* possible encryptions of the password `foobar' to reject a future attempt to use foobar as a password. Just use the salt that is used in the encrypted password. Assuming all attempts to use a given password are rejected, it is possible for only one of the 4096 encryptions of a given password to be in the encryption file. On the other hand, if one were to collect all previous passwords ever used at a site from backup tapes (or rather, their encrypted versions), there is a way to pare the equal ones down. First collect all unique encrypted passwords and put them in a file which I will refer to as the raw file. Create an empty file which I will call the unique file. Whenever a password is entered, check for all matches in the unique file. If a match is found, one need look no further. Otherwise, search all entrys in the raw file. If matches are found, pick one and enter it in the unique file. Delete all matches from the raw file. It is interesting that people's ideas on security are often wrong. For example, some people around here think that having different passwords on different machines provides better security than using the same one for all machines! It just ain't so. (Root Boy) Jim Cottrell National Bureau of Standards Flamer's Hotline: (301) 975-5688 YOW!!! I am having fun!!!