httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Sutton <p...@ukweb.com>
Subject Re: Apache 1.3a1 Authentification (re) (fwd)
Date Fri, 15 Aug 1997 23:11:26 GMT
On Fri, 15 Aug 1997, Alexei Kosut wrote:
> On Fri, 15 Aug 1997, Paul Sutton wrote:
> > The point with Unix crypt() is that you can (a) publish the source doe and
> > (b) make the salt (key) readily available and it is *still* a one-way
> > function. That is you can never get the original back, even with full
> > knowledge. So no-one can ever decrypt your Unix password (of course, they
> 
> I suspect there's something that can be done. What if you encrypted the
> password, using the password itself as the key. Then you couldn't
> unencyrpt it to find the password unless you knew it already. When you
> got a password, you'd encrypt that with itself, and see if it matched
> your already-encrypted password.

Sounds good. It is just a shame we cannot use the same crypt() as supplied
with every Unix. Is it really ITAR restricted? I've never used a Unix
(inside or outside the US) which doesn't have it, so it is hardly a secret
technology. Plus things like crack have a cypt library. Umm. 

//pcs



Mime
View raw message