/etc/passwd

scott thomason scott at thomasons.org
Thu Jan 17 14:34:37 PST 2002


One should use MD5 passwords. It's not hard to switch. I think it's in
the LFS how-to section; if not, just read the doc in shadow.

On Thu, 2002-01-17 at 16:27, Phil Howard wrote:
> On Thu, Jan 17, 2002 at 06:02:26PM +0100, Matthias Benkmann wrote:
> 
> | On 17 Jan 2002, at 10:47, Bruce Dubbs wrote:
> | 
> | > password?  If you were cracking passwords a lot, you could just generate
> | > all combinations up to a certain length on a large hard disk and do a
> | > binary search on the digest and get any of those PWs in less than a second.
> | 
> | To prevent this, a so-called salt is used. You do not only encrypt the 
> | password, you first concatenate it with a (pseudo-)random salt string that 
> | is saved together with the encrypted string. In order for the above scheme 
> | to work you will have to generate encryptions of all passwords combined 
> | with all salt strings. That increases the number of data extremely. The 
> | amount of storage needed is (still) too expensive to be used exclusively 
> | for cracking, especially since all sites worth cracking use shadow 
> | passwords so that you don't get the password file.
> 
> At a place I used to work, I once found two staff members had the same
> password.  They had that 1/64 chance of using the same salt, and also
> happened to be only 2 positions apart in the /etc/passwd file (this was
> before shadow was used back in the 1980's).  Sometimes the rare things
> do happen.  If we use a stronger hash like MD5 and a larger salt like
> 32 bits, these will be even more rare.
> 
> -- 
> -----------------------------------------------------------------
> | Phil Howard - KA9WGN |   Dallas   | http://linuxhomepage.com/ |
> | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/     |
> -----------------------------------------------------------------
> -- 
> Unsubscribe: send email to listar at linuxfromscratch.org
> and put 'unsubscribe lfs-security' in the subject header of the message
> 
-- 
Our government ... teaches the whole people by its example.
If the government becomes the lawbreaker, it breeds contempt
for the law; it invites every man to become a law unto himself;
it invites anarchy. -- Justice Louis D. Brandeis

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list