Path: utzoo!utgpu!watmath!clyde!att!osu-cis!killer!rpp386!jfh
From: jfh@rpp386.Dallas.TX.US (The Beach Bum)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Summary: Stop using TOD for the salt?
Message-ID: <10714@rpp386.Dallas.TX.US>
Date: 5 Jan 89 13:01:55 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <2271@pompeii.cs.swarthmore.edu> <230@ibd.BRL.MIL> <946@ruuinf.UUCP> <10629@rpp386.Dallas.TX.US> <949@ruuinf.UUCP>
Reply-To: jfh@rpp386.Dallas.TX.US (The Beach Bum)
Organization: Big "D" Home for Wayward Hackers
Lines: 21

In article <949@ruuinf.UUCP> piet@ruuinf (Piet van Oostrum) writes:
>In article <10629@rpp386.Dallas.TX.US>, jfh@rpp386 (The Beach Bum) writes:
>`Since there are only 2^56 possible outputs, and 2^132 inputs, some of
>`them must map onto other encrypted passwords - a multi-way encryption.
>`
>You are right, only it is 2^64 (the key for DES is 56 bits, but the output
>is 64 bits), so this still gives an 8 bit improvement, making it 128 times
>as hard.

If you obtain the salt from the password, rather than clock(), then you
are correct.

This would be an inexpensive way to increase the password beyond 8
characters.  It is, unfortunately, incompatible with current password
files.  At what price progress?  [ How about - an extra field in
/etc/privates giving the encryption method ;-) ]
-- 
John F. Haugh II                        +-Quote of the Week:-------------------
VoiceNet: (214) 250-3311   Data: -6272  |"Anything on the road which can be
InterNet: jfh@rpp386.Dallas.TX.US       | hit, will be ..."
UucpNet : <backbone>!killer!rpp386!jfh  +--------------------------------------