On Wed, Sep 11, 2024 at 04:04:50PM -0500, R Losey wrote: > On Wed, Sep 11, 2024 at 10:47 AM Chris Green <[email protected]> wrote: > > No, they're not. What's stored is the result of applying an algorithm > > to the password you supply. So, you enter a password, the password is > > 'scaarmbled' by the password checking software and, if the resulting > > scramble matches your entry in the password file (actually the shadow > > file nowadays) you can log in. > > > > In reality it's even a bit more complicated than this, but anyway the > > password isn't stored in any way. > > > > Your last sentence gave me a laugh; it directly contradicts your previous > paragraph: "What's stored is the result of applying an algorithm to the > password you supply" -- so the password IS stored in some encrypted fashion
No, it's impossible to get back to the password from the 'scrambled' string. The **only** way to validate your password is to encrypt the password you enter and then compare the result with the 'scrambled' string. In particular the only way to discover a password is to 'brute force' it by trying zillions of possible passwords until one, when encryted, produces the required 'scrambled' string. > -- at the very least something related to the password is indeed stored. Well, yes, that's inevitable, otherwise how could your password be checked! :-) More relevant to the original question is that it's even more difficult to break encryption like the above when the 'password' that you're trying to obtain is actually a large chunk of text. Even if you happen to know it's (say) 1000 characters long brute forcing it is quite impossible. -- Chris Green _______________________________________________ gnucash-user mailing list [email protected] To update your subscription preferences or to unsubscribe: https://lists.gnucash.org/mailman/listinfo/gnucash-user ----- Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
