Path: utzoo!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!snorkelwacker!bloom-beacon!athena.mit.edu!jik
From: jik@athena.mit.edu (Jonathan I. Kamens)
Newsgroups: comp.unix.questions
Subject: Re: passwds and crypt(3)...
Message-ID: <1990Jan3.204103.9684@athena.mit.edu>
Date: 3 Jan 90 20:41:03 GMT
References: <1990Jan3.103141.9903@gdt.bath.ac.uk> <21913@adm.BRL.MIL> <1990Jan2.222052.915@athena.mit.edu>
Sender: news@athena.mit.edu (News system)
Reply-To: jik@athena.mit.edu (Jonathan I. Kamens)
Organization: Massachusetts Institute of Technology
Lines: 20

In article <1990Jan3.103141.9903@gdt.bath.ac.uk>, exspes@gdr.bath.ac.uk
(P E Smee) writes:
> Unstated, but implicit, is the fact that it is even worse if the perpetrator
> just wants to break *some* password(s), not necessarily yours.  Having
> encrypted a 'trial' password once, it can then be checked against all
> encrypted passwords in /etc/passwd to see if it gets any hits.

  (I'm not sure if you already know this, but it sounds like you don't
-- I may just be understanding what you're trying to say wrong.)

  No, that's the whole point of the seed.  The seed is *different* for
each encrypted password in the /etc/passwd file (or, at the very least,
there are a number of different seeds), so trial passwords must be
encrypted in each possible seed before they can be compared to encrypted
passwords.

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik@Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710