aw> On Thu, 10 Jun 1999, Steve Dodd wrote:
>>
>> Rubbish. Store a secure one-way hash of the password. The problem is just
>> in choosing a secure algorithm.
aw>
aw> No, the one-way hashes are still sensitive (more so than a shadow file).
Explain this. Any decent hash function has the following properties:
- non invertible (or not trivially so)
(note that a good hash function need not be bijective, and I'd
conjecture that it shouldn't be)
I don't see the sensitivity here.
The problem is that user's passwords are in a much smaller space, so you
can simply try to invert the has by trying all possible "typable"
passwords, which is small enough that that a brute-force attack is
tractable.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/