From owner-freebsd-hackers Thu Aug 29 11:09:46 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA23691 for hackers-outgoing; Thu, 29 Aug 1996 11:09:46 -0700 (PDT) Received: from tombstone.sunrem.com (tombstone.sunrem.com [206.81.134.54]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA23683 for ; Thu, 29 Aug 1996 11:09:44 -0700 (PDT) Received: (from brandon@localhost) by tombstone.sunrem.com (8.7.5/8.7.3) id MAA17447; Thu, 29 Aug 1996 12:08:12 -0600 (MDT) Date: Thu, 29 Aug 1996 12:08:12 -0600 (MDT) From: Brandon Gillespie To: hackers@freeBSD.org Subject: 'Backwards' DES support for crypt(), while still using better algo's Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freeBSD.org X-Loop: FreeBSD.org Precedence: bulk I'm working on hacking SHA-1 encryption into passwords as '$2$' (suggested by Poul). One thought I had was on systems that have existing passwords with DES, where they may want to use better encryption but they dont because right now it is either all or nothing (? as far as I can tell). What would be nice is to have '$0$' be DES encryption, then we could still support better encryption while also staying functional with older passwords (which you would likely want to just expire and let them re-encrypt), as calling crypt() with a salt which does not have a version on it would simply default to whatever the latest 'version' is, where prepending the version to it would force it to use that encryption. This would also require a change in passwd so it doesnt unintentionally keep using DES or MD5 and just inherently uses the 'latest' version by not specifying the version in it's salt (right now passwd/local_passwd.c implicitly uses '$1$'). -Brandon Gillespie