2007-03-30 Security Link Of The Day - ROT13 Passwords

Solaris is - to the best of my knowledge - unique amongst Unix impementations in having a pluggable password encryption routine so that the administrator has the option of selecting a non-default password hash routine with the hope of making yourself more proof against password cracking - plus you can migrate users off-off older, weaker algorithms in a smooth fashion.

Brendan Gregg took this to the point of extreme silliness when he implemented a ROT13 password-hashing module for which he's posted the source; if you're not familiar with ROT13 it's the most trivial of pencil-and-paper ciphers, the sort of thing which got used to hide the punchlines of jokes posted via e-mail or on USENET.

I wouldn't recommend rolling out Brendan's code in an enterprise deployment - not unless you want all your passwords cracked in about 3 milliseconds flat - but it makes a nice proof of concept, and shows what you are free to do with the pluggable crypt API.

- alec

Comments:

ROT13 by itself is insecure. THat's why I recommend double ROT13, or if you're ultra paranoid quadruple ROT13.

Posted by BlogReader on March 29, 2007 at 10:56 PM PDT #

FreeBSD has had this since 2000, OpenBSD since revision 1.1 way back in 1997. Or did I miss something?

Posted by Ceri Davies on April 03, 2007 at 07:23 AM PDT #

Actually, yes; FreeBSD and the like use a software switch within crypt() to choose one of a handful of hardcoded algorithms; to the best of my knowledge even today they do not support runtime-loaded algorithms and/or the ability to add new algorithms at a whim. See my explanation at http://www.crypticide.com/dropsafe/articles/security/post20051205182853.html for a litt more context. If I am wrong, please let me know....

Posted by alecm on April 03, 2007 at 08:51 PM PDT #

OK, I see the difference, thanks.

Posted by Ceri Davies on April 04, 2007 at 12:02 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
11
12
13
14
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today