Path: utzoo!attcan!uunet!husc6!mailrus!uflorida!haven!adm!xadmx!rbj@nav.icst.nbs.gov
From: rbj@nav.icst.nbs.gov (Root Boy Jim)
Newsgroups: comp.unix.wizards
Subject: How to stop future viruses.
Message-ID: <17619@adm.BRL.MIL>
Date: 22 Nov 88 17:08:52 GMT
Sender: news@adm.BRL.MIL
Lines: 22

>From Doug Gwyn

? In article <17575@adm.BRL.MIL> rbj@nav.icst.nbs.gov (Root Boy Jim) writes:
? >A better thing to do would be encrypt the password as usual, *and then
? >select a random salt* to replace the salt it was encrypted with. That
? >way, naive people can crack away to no avail.

? No, that's not right since it doesn't block the "snarf /etc/passwd
? and run trial passwords against it" approach.  If you want to leave
? encrypted passwords in /etc/passwd please make sure that (a) they
? are encryptions of random gobbledook and (b) the verification
? scheme never accepts a match against /etc/passwd as validating a
? user under any circumstances.  (The scheme Mumaugh described did.)

My suggesting the resalting technique was an attempt to disguise the
encryption. As it turns out, since the encryption algorithm is
completely dense, I have unwittingly provided a target.  I accept your
(a) (altho why bother to encrypt at all?), and never suggested (b). 

	(Root Boy) Jim Cottrell	(301) 975-5688
	<rbj@nav.icst.nbs.gov> or <rbj@icst-cmr.arpa>
	Crackers and Worms -- Breakfast of Champions!