On Tue, 18 Aug 1998, Steve Lamb wrote: : On Tue, Aug 18, 1998 at 09:43:13PM -0500, Nathan E Norman wrote: : > However, let's assume someone grabs a copy of your /etc/passwd file, and : > you aren't using shadow passwords. All is not lost (yet). See, you : > can't decrypt the information stored on disk - your plaintext password : > is encrypted using a one-way hash (the crypt function), and every time : > you are prompted for your password your INPUT is again encrypted, and : > compared to the already encrypted version stored on disk. : : I thought what happened was that the password entered is used to encrypt : a string of 0's and the encoded (not encrypted) password is also used to : encrypt the same string of 0's and if they match the password is correct.
No. The first two characters of the "Encrypted password" field are the "salt"; the plaintext password collected from loogin or wherever is crypted using that salt, and the result compared to the entire field. The Perl Camel book has a function which demonstrates a simple implementation of this system. -- Nathan Norman MidcoNet 410 South Phillips Avenue Sioux Falls, SD mailto:[EMAIL PROTECTED] http://www.midco.net finger [EMAIL PROTECTED] for PGP Key: (0xA33B86E9)
