From: Dan Busarow <dan@dpcsys.com>
Date: Fri, 5 Apr 1996 17:30:47 +0800
To: Eric Eden <erice@internic.net>
Subject: Re: Using crypt()
In-Reply-To: <199604041747.MAA11669@ops.internic.net>
Message-ID: <Pine.SV4.3.91.960404184726.12501A-100000@cedb>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 4 Apr 1996, Eric Eden wrote:
> The only problem is when users mistakenly supply cleartext initially,
> they can never update their information because the program isn't
> smart enough to realize that the user was submitting cleartext instead
> of an encrypted password when setting up their account.

Far from bulletproof, but the three Unice I just checked, SCO Unix, 
UnixWare and FreeBSD, all generate 13 character encrypted passwords.
I believe this is the norm for crypt.

Very few people around here have 13 character clear text passwords,
those that do are either very security concious and won't use CRYPT-PW
or it's just coincidental and their bad luck.

Anyway, requiring the supposedly encrypted password to be 13 characters
is probably about the best you can do.  If crypt generated recognizable
patterns it wouldn't be very useful, would it?

I'm still debating whether or not to allow our clients to use this 
option.  We may require clients registering domains to pick up a copy 
of PGP first.  

Dan
-- 
 Dan Busarow
 DPC Systems
 Dana Point, California