>= It is not all that difficult for an attacker to arrange to sniff lots > of AS exchanges. Again, I'm not comparing it to `ypcat passwd' --- > but one can't just sweep this possibility under the carpet.
One thing that may not be self-evident is that it's a lot harder to do this in V5 than in V4. - Each key is salted with the whole principal name, which means you can't build up a sequence of trial keys from passwords; you need to generate them on a per-user basis. - Each encrypted sequence has a confounder, which means you need to do more trial decryptions before you can figure out if a key is right or not. - V5 includes MUCH better hooks for password quality control (including things like maximum and minimum password lifetimes and a password history). So no, this does not eliminate the problem. But I believe it reduces it to a manageable level. But I doubt you're going to find a security system that provides absolute security (I know Tom Wu would love for us all to believe that SRP is such a system, but somehow I'm skeptical). --Ken
