Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: None <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 05/24/2002 08:28:05
In message <20020524104611.GA26583@meltdown.kittenz.org>, firstname.lastname@example.org writes
>on Thu, May 23, 2002 at 11:22:51PM -0400, Steven M. Bellovin wrote:
>> One other point I should mention: the code fragment I sketched had an
>> optional site-specific field. Today's algorithm encrypts a constant
>> block, which makes hashed passwords portable. That isn't necessarily
>> an advantage, since it lets an attacker combine password files from
>> multiple sites for a single cracking run. The variant allows site
>> administrators to change that.
>> Where to store this string is an open issue.
>Is there any harm in storing it in /etc/passwd.conf?
> localcipher = sha512[,rounds[,site-salt]]
It's the obvious file, though the syntax may take a bit of work.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)