From nobody@FreeBSD.org Sun May 15 03:07:33 2011 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1DC5D106566C for ; Sun, 15 May 2011 03:07:33 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 0DDAE8FC08 for ; Sun, 15 May 2011 03:07:33 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p4F37WQM056461 for ; Sun, 15 May 2011 03:07:32 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p4F37WwG056460; Sun, 15 May 2011 03:07:32 GMT (envelope-from nobody) Message-Id: <201105150307.p4F37WwG056460@red.freebsd.org> Date: Sun, 15 May 2011 03:07:32 GMT From: Jeffrey Walton To: freebsd-gnats-submit@FreeBSD.org Subject: FreeBSD Handbook: Chapter 14 (Security) Inaccuracy X-Send-Pr-Version: www-3.1 X-GNATS-Notify: >Number: 157049 >Category: docs >Synopsis: FreeBSD Handbook: Chapter 14 (Security) Inaccuracy >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sun May 15 03:10:12 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Jeffrey Walton >Release: Apple's Flavor >Organization: None >Environment: Darwin newton 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i38 >Description: From the FreeBSD Handbook (http://www.freebsd.org/doc/en/books/handbook/crypt.html): 14.4 DES, Blowfish, MD5, and Crypt ... Unfortunately the only secure way to encrypt passwords when UNIX came into being was based on DES, the Data Encryption Standard. I believe the above is not accurate. According to Password Security: A Case History [1], Morris and Thompson write in their PROLOGUE: The UNIX system was first implemented with a password file that contained the actual passwords of all the users.... Later, under THE FIRST SCHEME, Morris and Thompson write: A convenient and rather good encryption program happened to exist on the system at the time; it simulated the M-209 cipher machine used by the U.S. Army during World War II. It turned out that the M-209 program was usable, but with a given key, the ciphers produced by this program are trivial to invert. ... the password was used not as the text to be encrypted but as the key, and a constant was encrypted using this key. I'm a big fan of history, and others might also find Morris and Thompson's history of the Unix password system interesting. Jeffrey Walton Baltimore, MD, US [1] www.cs.bell-labs.com/who/dmr/passwd.ps >How-To-Repeat: N/A >Fix: N/A >Release-Note: >Audit-Trail: >Unformatted: