On Aug 10, 11:15am,
sinck@owmyeye.ugive.com wrote:
> \_ If you're using MD5 passwords in Linux' /etc/shadow,
> \_ then you'll need to run "crack" on your old hashed
> \_ passwords to convert them to cleartext, and...
>
> But that'll be processor intensive and fail because all of the users
> will have picked secure passwords, right? :-)
Even if they weren't secure passwords, the conversion from cleartext
to encrypted text represents a many-to-one mapping (1), so we can't be
sure that crack would find the user's actual password. This might not
matter if you continue to use the same algorithm to regenerate a new
password, but surely the use of a different algorithm would cause
difficulties.
In any event, I agree with you. `crack' is too computationally
expensive, plus there's no guarantee that it'll find the correct
password, or even any password.
(1) Actually, the mapping is many-to-many due to the "salt" in the
encrypted password. I believe this was done to reduce the
likelihood of two people with identical passwords having the same
(encrypted) password in the passwd database.