This is still not very safe. With the computers we have nowadays one can run about 240,000 entries per second through crypt(). This means that _all_ possible passwords (i.e. all allowed characters plus the NULL in all combinations of 8) can be calculated with all possible salts in just over a month on an average alpha or high-end intel processor. The results could then be stored on a harddisk in a database. The whole database containing all possible passwords in cleartext as well as crypt()ed with every possible salt would take up less than 9 Gb. Using this database any password can be "cracked" in a matter of seconds (i.e. the time needed to pick the correct list out of 4096 total, and then find an entry in this sorted list of about 2Mb).
Yeah, and I just bought a 60gig HD for $219 US, it's insane (that and I have a half dozen PIII coppermine systems to crunch the data, I figure <1 week to generate the database). Hmm, something to do on the weekend maybe =) (with a web interface too, heeeee).
I guess it's time to replace crypt() with a more modern algorithm. OpenBSD uses eks-Blowfish, which seems to do the job wonderfully. Would it be possible to implement this in SuSE Linux? I guess with PAM this should not be too much work. Also I'd think that when implementing it in PAM as an option there should not be any serious compatibility problems. Did anybody try this yet? If not I'm willing to invest some time in it in the near future...
RedHat moved to MD5 quite some time ago. I'm rather shocked SuSE hasn't.
Cheers! Yuri.
-Kurt