Thursday Mar 29, 2007

2007-03-30 Security Link Of The Day - ROT13 Passwords

Solaris is - to the best of my knowledge - unique amongst Unix impementations in having a pluggable password encryption routine so that the administrator has the option of selecting a non-default password hash routine with the hope of making yourself more proof against password cracking - plus you can migrate users off-off older, weaker algorithms in a smooth fashion.

Brendan Gregg took this to the point of extreme silliness when he implemented a ROT13 password-hashing module for which he's posted the source; if you're not familiar with ROT13 it's the most trivial of pencil-and-paper ciphers, the sort of thing which got used to hide the punchlines of jokes posted via e-mail or on USENET.

I wouldn't recommend rolling out Brendan's code in an enterprise deployment - not unless you want all your passwords cracked in about 3 milliseconds flat - but it makes a nice proof of concept, and shows what you are free to do with the pluggable crypt API.

- alec

About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
11
12
13
14
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today