Changing OS

Pavel Curtis (pavel@parc.xerox.com)
Sun, 7 Apr 1996 15:48:52 PDT


Pavel Curtis writes:
> > Here's a question I have.. I noticed string_hash() is the same on both
> > versions., and I changed passwords on the moo I was using to use that. Does
> > anyone see a problem with that?
> 
> This is at least as secure as using crypt() ...

Actually, this isn't quite true, since the crypt() stuff includes the addition
of two random `salt' characters, which effectively thwarts a pre-computed
dictionary attack.  You could, however, implement a similar thing for
string_hash(), by adding two random characters to the front of the password
before sending it to string_hash() when you first set the password and then
prepending those characters to the result before storing it in the .password
property.  To test a given password, take the two characters from the front of
.password, prepend them to the given password, and run the result through
string_hash(); if that gives the rest of the .password property, you're set.

	Pavel