Bugtraq mailing list archives
Re: Digital Unix 4 protected password database.
From: Alec.Muffett () UK SUN COM (Alec Muffett)
Date: Mon, 15 Mar 1999 11:27:00 +0000
[making up to 16 char passwords by overlapping 8-char strings]
The alternate scheme you mention (in the part I cut) of encrypting the first 8 characters and the last 8 seems to me to result in a 16 char keyspace. Clever.Unfortunately, it doesn't perform strong mixing and thus does not produce a result as strong as its 16 character length implies.
From the crypto-purist point of view, I certainly would not argue with that;
part of the reason I came up with that algorithm was to try and support minimal effort backwards compatability on an ancient networked system, where I could poke the standard: if (!strcmp(plaintext, ciphertext), ciphertext)) { ...mantra, into: if (!strncmp(plaintext, ciphertext), ciphertext), 13) { ...for the small number of systems which could not be seriously overhauled to use a decent crypt() replacement, for lack of source code; the first 13 chars of the ciphertext in the modified algorithm are equivalent to a traditional crypt, and in this limited circumstance it was useful to exploit that feature. Of course, backwards compatability is a ***BAD*** thing in authentication (ref: WinNT) - nonetheless, I consider it a neat toy hack, whose strength is dependent upon the effectiveness of the DES mixing in crypt, and to practical limitations it is pretty good.
As you can see, the only proper way of increasing the effective length of a password is to use a cryptographic hash algorithm or implement a scheme of thorough plaintext mixing. Look into the efforts of expanding DES for good examples of how to mix plaintext properly.
Quite. In these days of ubiquitous access to MD5 and SHA-1 algorithms, it would be insane to use anything less. - alec -- alec muffett, sun professional services, alec.muffett @ uk.sun.com #4 - goading fierce man
Current thread:
- Re: Digital Unix 4 protected password database. Darren J Moffat - Enterprise Services OS Product Support Group (Mar 10)
- <Possible follow-ups>
- Re: Digital Unix 4 protected password database. der Mouse (Mar 10)
- New Security Vulnerability in WinNT Alexandre Stervinou (Mar 12)
- Re: Digital Unix 4 protected password database. Tim Pierce (Mar 12)
- Re: Digital Unix 4 protected password database. Nate Lawson (Mar 12)
- Re: Digital Unix 4 protected password database. Alec Muffett (Mar 15)
- Re: Digital Unix 4 protected password database. Alec Muffett (Mar 16)