Storing Passwords Post: 302928987

Sponsored Content

Top Forums Web Development Storing Passwords Post 302928987 by jim mcnamara on Tuesday 16th of December 2014 05:24:40 PM

12-16-2014

Registered User

Source code gives them where the keys are stored, if they can get to code.

The point is not any of the above. Where do you store the key to decrypt the half-key?
This is a logical fallacy. It is called circular reasoning. I need a key to decrypt a key. I still have to store that secondary key somewhere, or the system will have to regenerate it. Regenerate means I can see it in the source. Storage means it is a sitting duck, unencrypted.

I agree that simply having the algorithm and knowing the block cipher is not a complete solution, but the logic behind this needs some work. Having the source also means shell code or another crack is now a possibility.

There is far more to security than passwords. We have a large number of fairly insecure old unpatchable windows servers. They have many known exploits. They are pretty safe.

Why? Because getting to them externally is really hard, you have to hack several external software and physical barriers to get at them. But they could be trashed by an internal employee easily. So we have to have trust somewhere. ROI.

jim mcnamara

View Public Profile for jim mcnamara

Find all posts by jim mcnamara

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Passwords

I am running unix 11.xxx....How do you change a user password. The previous vs was passwd at the command prompt. This no longer works. Thanks for the help

2. Shell Programming and Scripting

Hide Passwords

Is there a way not to display the password in the sys out when your korn shell script logs into sqlplus?

3. UNIX for Dummies Questions & Answers

sqlplus and passwords

Hope I'm in the right place to ask this. ... and I'm a total noob by the way. When changing an account password through telnet, everything seems fine. I can telnet back in afterward, but if I try to use sqlplus to get in it tells me password invalid. If I try to get in through sqlplus with the...

4. AIX

passwords encryption

I want to store a password of a user in a encrypted format and the use that encrypted password in my shell scripting. can any one of you let me know how to do it. Thanks in advance

5. UNIX for Advanced & Expert Users

About unix passwords.

How the unix is maintaining the password ? How it does the encryption and how the passwords are stored in the system and where it is stored ? How it is better when compared to other OS ?

6. OS X (Apple)

Storing ssh passwords/keys in keychain

Can anyone tell me how to set up ssh and keychain so when I connect to the remote system it uses keychain for the password or public key? The remote system is FreeBSD 8.0. Do I need to setup anything else on that end? Cheers.

7. Shell Programming and Scripting

passwords

Dear all, I need to automate/script a user password change process. I'm helpless cannot use expect since it's not installed and cannot install it either. Do i have an alternative. I can store the password in a file and that would be the password that would be set to all the users. If not i don't...

8. UNIX for Advanced & Expert Users

When did UNIX start using encrypted passwords, and not displaying passwords when you type them in?

I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the...

9. HP-UX

Passwords and shadows

version 11.22 1 - In this version there is the shadow file by default?. If so why when I search the file I get "No / etc / shadow file found"? 2 - What does the "*" in etc / password? at the beginning of each password?

LEARN ABOUT PLAN9

encrypt

ENCRYPT(2)							System Calls Manual							ENCRYPT(2)

NAME

       encrypt, decrypt, netcrypt - DES encryption

SYNOPSIS

       #include <u.h>
       #include <libc.h>

       int  encrypt(void *key, void *data, int len)

       int  decrypt(void *key, void *data, int len)

       int  netcrypt(void *key, void *data)

DESCRIPTION

       Encrypt	and  decrypt  perform DES encryption and decryption.  Key is an array of DESKEYLEN (defined as 7 in <auth.h>) bytes containing the
       encryption key.	Data is an array of len bytes; it must be at least 8 bytes long.  The bytes are encrypted or decrypted in place.

       The DES algorithm encrypts an individual 8 byte block of data.  Encrypt uses the following method to encrypt data longer than 8 bytes.  The
       first 8 bytes are encrypted as usual.  The last byte of the encrypted result is prefixed to the next 7 unencrypted bytes to make the next 8
       bytes to encrypt.  This is repeated until fewer than 7 bytes remain unencrypted.  Any remaining unencrypted bytes are encrypted with enough
       of the preceding encrypted bytes to make a full 8 byte block.  Decrypt uses the inverse algorithm.

       Netcrypt  performs  the	same encryption as a SecureNet Key.  Data points to an ASCII string of decimal digits with numeric value between 0
       and 10000.  These digits are copied into an 8 byte buffer with trailing binary zero fill and encrypted as one DES block.   The  first  four
       bytes are each formatted as two digit ASCII hexadecimal numbers, and the string is copied into data.

SOURCE

       /sys/src/libc/port

DIAGNOSTICS

       These routines return 1 if the data was encrypted, and 0 if the encryption fails.  Encrypt and decrypt fail if the data passed is less than
       8 bytes long.  Netcrypt can fail if it is passed invalid data.

SEE ALSO

       securenet(8)

BUGS

       The source is not included in public distributions.  The implementation is broken in a way  that  makes	it  unsuitable	for  anything  but
       authentication.

																	ENCRYPT(2)