I am curious as to the strength of Un*x crypt when used upon itself. I was thinking of was to obfuscate passwords and a few came to mind (obviously not original): 1. Use a hashed passphrase. 2. Encrypt your original password and then used that as your password. (Or triple, quadruple, ad inifinitum...) Re #1: I know that a good hash will take a pass phrase and reduce it to a statistically random sequence. I'm not intending to use the hash for verfication, but for two reasons: 1. Get a nice random jumble 2. Come out with something shorter than I came in with. Re #2: This I thought might help spoil a dictionary attack. Granted, if the attacker knows that you are doing this, it only adds one step in his process, but if he doesn't it turns his attack into plain brute force. Plus, for Un*x users, it's right there on the command line and only adds a few seconds to the entire procees of changing passwords. The added benefit with both of these is that the user does not have to remember some cryptic string, but can remember his normal password/phrase. By this, it is obviously not a commercial-use scheme, but one for individual users. (If everyone used the same algorithm, it'd be kinda pointless, right?) So with everyone (hashing down/reencrypting) their (passphrases/passwords) with different algorithms, all attacks are reduced to brute force. Either that, or the attacker has to figure out what algorithm the user used, still making a dictionary attack that much harder. So what are the comments on a system like this? Obviously, they are not original ideas, but I would like to know what has been said about them. Rick Osborne / osborne@gateway.grumman.com / Northrop Grumman Corporation ------------------------------------------------------------------------- What the hell, it's only 4 month's grant - I can live in a cardboard box, and catch pigeons for food. After all, I've got raytracing to do!