From: Dan Busarow <dan@dpcsys.com>
To: Eric Eden <erice@internic.net>
Message Hash: 48efa393c3b7903796e8e79ce4f5309c6b987bf1ad9161da625e4c3ca29d664d
Message ID: <Pine.SV4.3.91.960404184726.12501A-100000@cedb>
Reply To: <199604041747.MAA11669@ops.internic.net>
UTC Datetime: 1996-04-05 09:30:47 UTC
Raw Date: Fri, 5 Apr 1996 17:30:47 +0800
From: Dan Busarow <dan@dpcsys.com>
Date: Fri, 5 Apr 1996 17:30:47 +0800
To: Eric Eden <erice@internic.net>
Subject: Re: Using crypt()
In-Reply-To: <199604041747.MAA11669@ops.internic.net>
Message-ID: <Pine.SV4.3.91.960404184726.12501A-100000@cedb>
MIME-Version: 1.0
Content-Type: text/plain
On Thu, 4 Apr 1996, Eric Eden wrote:
> The only problem is when users mistakenly supply cleartext initially,
> they can never update their information because the program isn't
> smart enough to realize that the user was submitting cleartext instead
> of an encrypted password when setting up their account.
Far from bulletproof, but the three Unice I just checked, SCO Unix,
UnixWare and FreeBSD, all generate 13 character encrypted passwords.
I believe this is the norm for crypt.
Very few people around here have 13 character clear text passwords,
those that do are either very security concious and won't use CRYPT-PW
or it's just coincidental and their bad luck.
Anyway, requiring the supposedly encrypted password to be 13 characters
is probably about the best you can do. If crypt generated recognizable
patterns it wouldn't be very useful, would it?
I'm still debating whether or not to allow our clients to use this
option. We may require clients registering domains to pick up a copy
of PGP first.
Dan
--
Dan Busarow
DPC Systems
Dana Point, California
Return to April 1996
Return to ““Mark M.” <markm@voicenet.com>”