Path: utzoo!utgpu!watmath!clyde!att!pacbell!ames!eos!labrea!sri-unix!quintus!ok
From: ok@quintus.uucp (Richard A. O'Keefe)
Newsgroups: comp.unix.wizards
Subject: Re: Improving password security
Keywords: password, security, brute-force
Message-ID: <716@quintus.UUCP>
Date: 20 Nov 88 07:51:59 GMT
References: <21670@pbhya.PacBell.COM> <27987@tut.cis.ohio-state.edu>
Sender: news@quintus.UUCP
Reply-To: ok@quintus.UUCP (Richard A. O'Keefe)
Organization: Quintus Computer Systems, Inc.
Lines: 12

In article <27987@tut.cis.ohio-state.edu> jgreely@banjo.cis.ohio-state.edu (J Greely) writes:
>1. break the plaintext:  trivial to do, if I can read libc.a on your
>   system.  Since crypt is a standard library function, the object
>   file is open to anyone who wants it.  Your secret plaintext is
>   secret only so long as no one is allowed to use the crypt function.
>
Not so trivial if the revised crypt() is an RPC call to a "crypt server";
then you would need read access to the crypt server code as well.  [This
would be one occasion when the added cost of an RPC call would be welcome!]

A site-configurable plaintext for crypt() sounds nice, but remember what
Feynman found out about safes!