Xref: utzoo news.sysadmin:1320 comp.unix.wizards:12291
Path: utzoo!utgpu!attcan!uunet!seismo!sundc!pitstop!sun!quintus!ok
From: ok@quintus.uucp (Richard A. O'Keefe)
Newsgroups: news.sysadmin,comp.unix.wizards
Subject: Re: How to stop future viruses.
Message-ID: <656@quintus.UUCP>
Date: 10 Nov 88 09:59:56 GMT
References: <16722@agate.BERKELEY.EDU> <2178@cuuxb.ATT.COM> <16768@agate.BERKELEY.EDU>
Sender: news@quintus.UUCP
Reply-To: ok@quintus.UUCP (Richard A. O'Keefe)
Organization: Quintus Computer Systems, Inc.
Lines: 10

In article <16768@agate.BERKELEY.EDU> greg@math.Berkeley.EDU (Greg) writes:
>Secondly, your approach will no longer work with the advent of the
>salt, the 12 random bits stored in the clear with the encrypted
>password.  You would have to encrypt the dictionary 4096 times, or be
>content with cracking a much smaller portion of the password file.  It
>would be good to expand the salt to 36 bits, just to make sure that you
>can't preencrypt even a small dictionary.

I'm afraid the salt is not much protection.  I'm not going to explain why,
but read the crypt(3) manual page carefully...