Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: Steven M. Bellovin <firstname.lastname@example.org>
From: None <email@example.com>
Date: 05/24/2002 11:46:11
on Thu, May 23, 2002 at 11:22:51PM -0400, Steven M. Bellovin wrote:
> One other point I should mention: the code fragment I sketched had an
> optional site-specific field. Today's algorithm encrypts a constant
> block, which makes hashed passwords portable. That isn't necessarily
> an advantage, since it lets an attacker combine password files from
> multiple sites for a single cracking run. The variant allows site
> administrators to change that.
> Where to store this string is an open issue.
Is there any harm in storing it in /etc/passwd.conf?
localcipher = sha512[,rounds[,site-salt]]