Path: utzoo!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!uvm-gen!tnl!norstar From: norstar@tnl.UUCP (Daniel Ray) Newsgroups: comp.unix.questions Subject: Re: Query on speed of crypt(3) Summary: nsa hash string database for crypt(3) Keywords: crypt security password Message-ID: <235@tnl.UUCP> Date: 31 Dec 89 05:50:39 GMT References: <1989Dec14.195944.16931@ncsuvx.ncsu.edu> <3364@rti.UUCP> Organization: The Northern Lights, Burlington VT Lines: 32 In article <3364@rti.UUCP>, trt@rti.UUCP (Thomas Truscott) writes: ... crypt(3) uses DES which is slow in software and fast in hardware. And the hardware is cheap so it can be replicated. Using hardware to find DES keys by exhaustive search is easily within the budget of major governments. ... I wonder what is the chance that the NSA has a complete database of all possible /etc/passwd encrypted strings, for all 4098 salts... I'll just bet they can look up any password, in a few microseconds! The key to password security (assuming we stay with a crypt(3)-type hashing scheme with shorter length passwords) seems to be having a unique scheme for each machine. When a new UNIX system is installed, it could use its own key (instead of always the string of nulls crypt(3) uses), then link the login/su/passwd programs on the spot with that site's specific configuration. This would make your crypt(3) work differently from my crypt(3). Many more possibilities, much harder to crack outside your own site. Same should apply to the shadow scheme. Each site uses a different secret passwd file, a different directory and path each time. An intruder wouldn't know where to look for the encrypted strings. That's what we do here on TNL. Just as the proliferation of viruses is hindered by the variation of operating environments, so can breaking a password system be blocked by site-specific implementations. norstar The Northern Lights, Burlington Vermont | tnl dialins: 802-865-3614 at 300-2400 bps. ` | / ------------------------------------------ --- * --- uucp: uunet!uvm-gen!tnl!norstar or / | . {decvax,linus}!dartvax!uvm-gen!tnl!norstar |