Very Computer

I have a question about cracking passwords.

I run john to check that my passwords are safe(ish).

I know that the way unix deals with passwords is to put them through a
one way hashing algorithm, and stores the result. So john tries to
crack passwords by using a word list (or just iterating), and hashing
the result and checking it against the password file.

What I am confused about is that this method seems to rely on knowing
the encryption algorithm beforehand. What if you don't? Surely this
would then make it much more difficult to crack passwords.

In the light of this, why do all unixes use the same crypt function
(or am I mistaken, and you need to know the unix flavour to know the
encrytion algorithm). And why not choose from 500 different algorithms
when you config your system to make it much harder?

Thanks for any info!

Matt

Quote:> What I am confused about is that this method seems to rely on knowing
> the encryption algorithm beforehand. What if you don't? Surely this
> would then make it much more difficult to crack passwords.

Quote:> In the light of this, why do all unixes use the same crypt function
> (or am I mistaken, and you need to know the unix flavour to know the
> encrytion algorithm). And why not choose from 500 different algorithms
> when you config your system to make it much harder?

        mike

--

Any opinions  expressed are  mine and not necessarily
those of any other entity. They may not even be mine.

Note that this is essentially what the 'salt' in a Unix password does - it
permutes the algorithm (or more precisely, its tables) in one of 4096 ways
before encrypting the password.

Note that choosing an algorithm and hoping that noone figures it out would
be akin to security by obscurity.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at

Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.

and normally we are careful NOT to be secretive about algorithms, because the
peer review process is the only way to gain confidence in the cryptographic
properties of an algorithm, that there aren't shorter ways to compute
equivalent functions and that sort of thing.

Quote:>Surely this would then make it much more difficult to crack passwords.

Quote:>And why not choose from 500 different algorithms
>when you config your system to make it much harder?

"Random numbers should not be generated by a method chosen at random."
                                -- attributed to Donald Knuth

I have one more question.

How would you go about cracking a password that was encrypted using an
unknown and completely new algorithm?

Thanks
Matt

: How would you go about cracking a password that was encrypted using an
: unknown and completely new algorithm?

Learn maths. Read about cryptoanalysis. Enjoy.

Arthur

--
Arthur Clune
Cosmologists are often in error but never in doubt - Lev Landau

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at

Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.

I know very little about cryptography, but it seems to me that if you
don't know the algorithm, and can't get the source - then you will
have to try to crack the password by incrementally guessing it. Which
is really the best you can hope for.

Thanks,
Matt

   Andreas

--

Carlstedt Research & Technology
Phone: +46 31 7014268
Mobile: +46 70 4262889
Fax: +46 31 101987

]Hmm. Does anyone have any knowledge as to how you would do this?

What password?

]I know very little about cryptography, but it seems to me that if you
]don't know the algorithm, and can't get the source - then you will

You do know the algorithm. You do know the source.

]have to try to crack the password by incrementally guessing it. Which
Yes, that is often the best you can do

]is really the best you can hope for.