aoki@faerie.Berkeley.EDU (Paul M. Aoki) (11/12/88)
In article <10436@eddie.MIT.EDU> jbs@fenchurch.UUCP (Jeff Siegal) writes: >In article <10835@ulysses.homer.nj.att.com> smb@ulysses.homer.nj.att.com (Steven M. Bellovin) writes: >>You don't need to use all 4096 salts; you simply need the ones used >>on the target system. > >It turns out that, due to a (apparent) bug in passwd.c, at least on >Berkeley systems, only about 400 salts ever get used. > >Jeff Siegal Hmm. I just pawed over the password file on ernie.berkeley.edu [ that's right, the place the worm was transmitting its location to ... ] and found 630 salts for 671 accounts with passwords. Some of those passwords have been there for an awfully long time. Where did you get this information? ---------------- Paul M. Aoki CS Division, Dept. of EECS // UCB // Berkeley, CA 94720 (415) 642-1863 aoki@postgres.Berkeley.EDU ...!ucbvax!aoki
jbs@fenchurch.mit.edu (Jeff Siegal) (11/13/88)
In article <7311@pasteur.Berkeley.EDU> aoki@faerie.Berkeley.EDU (Paul M. Aoki) writes: >In article <10436@eddie.MIT.EDU> jbs@fenchurch.UUCP (Jeff Siegal) writes: >>[...]only about 400 salts ever get used. >Hmm. I just [...] found 630 salts for 671 accounts [...]. Yes, it is pretty clear now that my claim is wrong. >Where did you get this information? I was told this a while ago--I don't remember by whom. Before posting the information, I did check the source code but I did not think very hard about what I saw. After looking again and thinking a bit, I see now why it isn't true. Jeff Siegal