pmaniac@walt.cc.utexas.edu (Noah Friedman) (06/03/90)
In article <6703@blake.acs.washington.edu> mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) writes: >... There are lessons to be learned, starting with the >abolishment of /etc/passwd and user access to the encryption >algorithm. I don't know that this is necessary. While it's possible that someone already has worked out a way to reverse DES, having access to /etc/passwd is quite useful. A number of my programs use information in this database, including the password field, so that other users can use their own passwords for various options while running my programs. If DES is breakable, then a new algorithm needs to be implemented. And users should be encouraged to choose good passwords, otherwise it doesn't matter what encryption mechanism is used. It's probably already been mentioned, but there is no good way to hide the encryption algorithm. Even if it's hardcoded into the kernal, it can always be disassembled. Noah Friedman pmaniac@ccwf.cc.utexas.edu