Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!uflorida!haven!adm!smoke!gwyn
From: gwyn@smoke.BRL.MIL (Doug Gwyn )
Newsgroups: comp.unix.wizards
Subject: Re: How to stop future viruses.
Message-ID: <8925@smoke.BRL.MIL>
Date: 18 Nov 88 04:14:26 GMT
References: <17575@adm.BRL.MIL>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 11

In article <17575@adm.BRL.MIL> rbj@nav.icst.nbs.gov (Root Boy Jim) writes:
>A better thing to do would be encrypt the password as usual, *and then
>select a random salt* to replace the salt it was encrypted with. That
>way, naive people can crack away to no avail.

No, that's not right since it doesn't block the "snarf /etc/passwd
and run trial passwords against it" approach.  If you want to leave
encrypted passwords in /etc/passwd please make sure that (a) they
are encryptions of random gobbledook and (b) the verification
scheme never accepts a match against /etc/passwd as validating a
user under any circumstances.  (The scheme Mumaugh described did.)