Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!wls
From: wls@csd4.milw.wisc.edu (Bill Stapleton)
Newsgroups: comp.sources.wanted
Subject: Re: fast "crypt" routine
Summary: Use "dead" passwds, not "live" ones
Keywords: for Unix passwd encryption
Message-ID: <2401@csd4.milw.wisc.edu>
Date: 4 May 89 22:12:14 GMT
References: <39439@bbn.COM> <258@ibd.BRL.MIL>
Sender: news@csd4.milw.wisc.edu
Reply-To: wls@csd4.milw.wisc.edu.UUCP (Bill Stapleton)
Organization: Computing Services, U of Wisc-Milwaukee
Lines: 22

Frank A. Lonigro writes:
>...  I'm writing a utility to find
>and weed out easy to guess users passwords to make our systems more secure.

Mark A. Heilpern writes:
>Geez, If I wanted to write this program, I'd rather use a slow encryption
>method, like the included "crypt(key,salt)" C routine from UNIX. I guess I'd
>just rather let this program run all night instead of create a potential
>security hole, especially one to be passwd across the net.

Random aside:  One way of keeping tabs on passwords is to grab the *old*
password whenever the password is changed.  That way, you don't need crypt
(you have what the user typed), and you don't actually fool with valid
passwords, yet you can still see what sorts of passwords are being used,
and identify people who tend to use their first names, etc.  No, I haven't
actually done this, its just an interesting idea I heard at a security talk
once upon a time...

--
Bill Stapleton
     wls@csd4.milw.wisc.edu
     uwvax!uwmcsd1!wls