RE: [suse-security] Password Encryption
But the crypt lib encrypts the password or the hashed value of the password? Dre :-) Luck is my game ;-) Linux is my aim :) -----Original Message----- From: Claus Lund [mailto:clund@tax.state.vt.us] Sent: Wednesday, July 10, 2002 7:39 PM To: suse-security@suse.com Subject: Re: [suse-security] Password Encryption Yup. Several different passwords could very well generate the same hashed string. Claus Lund Department of Taxes Information Systems 109 State Street Montpelier, Vermont 05609 (802) 828-3735 ----- Original Message ----- From: "arawak" <arawak@blueyonder.co.uk> To: <suse-security@suse.com> Cc: "'Reckhard, Tobias'" <tobias.reckhard@secunet.com> Sent: Wednesday, July 10, 2002 2:26 PM Subject: RE: [suse-security] Password Encryption
Hi,
I'm following this thread and need a little clarity.
I'm thinking that if my password was ABC then hashed, the result is compared in the hashed file correct?
Therefore could be possible to have another password that when compared to the hashed value it could give the be the same result of my ABC password?
Dre :)
Luck is my game ;-) Linux is my aim :)
-----Original Message----- From: Reckhard, Tobias [mailto:tobias.reckhard@secunet.com] Sent: Wednesday, July 10, 2002 11:24 AM To: suse-security@suse.com Subject: RE: [suse-security] Password Encryption
ok, but if we knows, that there is a way to crack the shadow file, why don't we use a secure algorithm ? (triple DES or AES) Are there no implementation for this algorithms ? (a DES cracker-maschine costs about 100.000 $)
Wait! and read aloud after me: "The password is *not* encrypted." Take a deep breath. Now repeat it, please.
The password is in fact hashed. The resulting hash is stored in /etc/shadow. The password is gone after that, there's no trace of it left.
What then happens, when you login, is that the password you supply to the system is hashed and the hash is compared to the one stored in /etc/shadow. If they match, you're in, if they don't, you're not.
As Olaf has repeatedly said, in the case where DES is used, the salt is encrypted using the password as a key to get the 'hash'.
However, if you're using 'MD5 passwords' (which is something of a misnomer, of course), DES isn't involved.
Someone correct me if I'm wrong.
Cheers Tobias
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (1)
-
arawak