Path: utzoo!attcan!uunet!convex!killer!ames!pacbell!pbhya!whh
From: whh@pbhya.PacBell.COM (Wilson Heydt)
Newsgroups: comp.unix.wizards
Subject: Improving password security
Keywords: password, security, brute-force
Message-ID: <21670@pbhya.PacBell.COM>
Date: 19 Nov 88 03:12:57 GMT
Organization: Pacific * Bell, Oakland, CA
Lines: 26

I've been reading the discussions of how to tighten security in the
light of recent events.  In particular, the remarks about weaknesses
in the existing password encryption algorithms.

I am puzzled about an omission in the solutions suggested.

As I recall from the supplementary Unix manuals--specifically the
two articles on passowrd security--it is noted that the standard
Unix schemeuses the passowrd as the encryption key on a standard
plaintext.  Would it not be a great help in stopping brute-force
attacks to make the plain-text configurable by binary-licnese sites?
Then the attacker would have to either break to the plain text for
each site--difficult enough in itself, restrict itself to some 
subset of the possible plaintexts, or generate an implausibly large
dictionary.

Am I off base?  Merely out of date?  Or has this been (or is this
being) done?

      --Hal

=========================================================================
  Hal Heydt                             |    "Hafnium plus Holmium is
  Analyst, Pacific*Bell                 |     one-point-five, I think."
  415-645-7708                          |       --Dr. Jane Robinson
  {att,bellcore,sun,ames,pyramid}!pacbell!pbhya!whh