Subject: Re: crypt(3)
To: Herb Peyerl <firstname.lastname@example.org>
From: Michael Graff <email@example.com>
Date: 11/16/1994 00:41:12
>Whenever someone wants an account on one of my machines, they ship me a
>passwd entry... That way their password can remain the same. And vice
>versa. Whenever I get an account on someone else's machine, I ship them
>my password entry.
So, not only do you break the ``use different passwords on different machines''
rule, you also expect all crypt()'s to be identical? There are other
password schemes out there (Kerberos) which also break the ``standard''
password entries. Besides, what does a program need to look at the raw
password entry for anyhow? The salt argument to crypt() could flag a MD5
vs. non-MD5 entry. There is a limited alphabet allowed as a seed. Use
something illegal to the DES crypt to flag a MD5 entry.
I would much prefer using MD5 for passwords. I'm not so certain the method
posted here earlier is the best, but I believe MD5 to be much more secure
than the standard old DES.
Michael Graff <firstname.lastname@example.org> NetBSD is the way to go!
PGP key on a key-server near you! Rayshade the world!