Re: passwd hashing algorithm

[fitz () wang com (Tom Fitzgerald)]

> SecureWare has modified
> the behavior of password hashing not to increase the strength of the
> underlying crypt(), but to increase the size of the possible password space
> and the resulting hash value.  The algorithm breaks a password into crypt-
> sized blocks, running crypt() across each block.  The salt for each block is
> derived from the ciphertext of the previous block to provide linkage between
> the individual blocks.  The resulting hash is the concatenation of the 
> various ciphertext blocks, prefixed with the initial salt.

This sounds like it could have a real weakness.  Passwords that are longer
than 8 characters tend to be only a little longer - most of them will be
9-12 characters.  Few passwords will be 16 characters.  With this algorithm
it's easy to crack the last block, using the salt derived from the
2nd-to-last ciphertext by trying all 1-4 character strings.  Given the last
block of cleartext you can make some good guesses about the earlier blocks
(If the last block is cracked and turns out to be 'h', you can try
'elizabeth', if it's 'ia' you can try 'california' etc.).  My guess is a
9-12 character password would be weaker than an 8-character password under
this scheme unless you were careful to keep the first 8 characters totally
independent of the rest, putting a semantic boundary in the password.

How about a variation where each block of cleartext was xor'ed with all of
the previous blocks of cleartext before crypting?

> watt:u_name=watt:u_id#124:\
> :u_pwd=8F0Ovkj7jA9jE.ofsJ4MaIt6:\

Hmmm.  Where'd I leave my copy of Crack....

-- 
Tom Fitzgerald    1-508-967-5278    Wang Labs, Lowell MA, USA    fitz () wang com