Hey all,
I have a question about cracking passwords.
I run john to check that my passwords are safe(ish).
I know that the way unix deals with passwords is to put them through a
one way hashing algorithm, and stores the result. So john tries to
crack passwords by using a word list (or just iterating), and hashing
the result and checking it against the password file.
What I am confused about is that this method seems to rely on knowing
the encryption algorithm beforehand. What if you don't? Surely this
would then make it much more difficult to crack passwords.
In the light of this, why do all unixes use the same crypt function
(or am I mistaken, and you need to know the unix flavour to know the
encrytion algorithm). And why not choose from 500 different algorithms
when you config your system to make it much harder?
Thanks for any info!
Matt