Re: Changing OS

• Date: Sun, 7 Apr 1996 15:48:52 PDT
• From:
  Pavel Curtis <pavel@parc.xerox.com>
• Cc: slayer@kaiwan.com, Michael Smith <smithdm@metronet.com>, moo-cows@parc.xerox.com
• In-reply-to: Pavel Curtis's message of "Sun, 07 Apr 1996 15:31:36 PDT" <96Apr7.153253pdt.230922@mu.parc.xerox.com>

Pavel Curtis writes:
> > Here's a question I have.. I noticed string_hash() is the same on both
> > versions., and I changed passwords on the moo I was using to use that. Does
> > anyone see a problem with that?
> 
> This is at least as secure as using crypt() ...

Actually, this isn't quite true, since the crypt() stuff includes the addition
of two random `salt' characters, which effectively thwarts a pre-computed
dictionary attack.  You could, however, implement a similar thing for
string_hash(), by adding two random characters to the front of the password
before sending it to string_hash() when you first set the password and then
prepending those characters to the result before storing it in the .password
property.  To test a given password, take the two characters from the front of
.password, prepend them to the given password, and run the result through
string_hash(); if that gives the rest of the .password property, you're set.

	Pavel

• Re: Changing OS
• From: Pavel Curtis <pavel@parc.xerox.com>

• Prev: Re: Changing OS
• Next: Re: Changing OS
• Index: MOO-cows
• Thread: MOO-cows