Re: passwd hashing algorithm

[LTABER () pimacc pima edu (Louis Taber)]

> * David Faron Stagner (stagda () sys1 ic ncs com) writes

> I'm with der Mouse on this... the current state of crypt() and
> password hashing in unix is inexcusable.  
..... stuff removed
> So what we're left with is replacing crypt() with something decently
> strong.  How about triple DES?  At this point in the game, triple DES
> seems as strong as anything available, and certainly far stronger than
> the existing scheme.  It also would not change the length of the
> passwords on file or the basic authentication mechanism.  Of course,
> this still doesn't solve the problem of weak passwords (which is still
> a basic attack mechanism for crack), but it would make
> minimum-password schemes much more effective, and increase the value
> of good passwords substantially.  
>
> Someone tell me if I'm completely off-base here.
> -- 
> * David Faron Stagner
> * National Computer Systems           david_stagner () ic ncs com
> * 2510 N Dodge St                     vox 319 354 9200 ext 6884
> * Iowa City, IA 52244                 fax 319 339 6555

My take on this is that encryption is NOT the way to go.   This would 
mean that there exists a key that could decrypt the entire password file.
On this count triple DES is no better than regular DES.  From my 
understanding the MD5 would work well.  It is non-reversible.

Louis
 
Louis Taber                                                   ltaber () pima edu
Pima Community College, Computer Science, 2202 W. Anklam Rd, Tucson, AZ 85709
(520) 884-6039 Secretary / (520) 884-6850 Office direct