I have also noticed a problem with Network Solutions' handling of passwords for CRYPT-PW authentication: when you submit the password initially, the form they generate with their New Contact Form web system runs the password you enter through crypt(), but the first two characters of the encrypted value (the salt) are the same as the first two characters of the password, indicating they use the password as its own salt. This dramatically limits the usefulness of encrypting the password in the first place, since you've already given away the first two characters, and probably hamstrung the whole algorithm at the same time. (More advanced crypto people than I can comment on this.) In any case, this is definitely the wrong way to do it. I re-encrypted my password with different salt when submitting it and this appeared to work fine. But Network Solutions should be generating a random salt value; not storing a portion of the password unencrypted in their database as the salt. Most people won't even notice, and very few will know how to generate their own properly salted value. -- Jefferson Ogata <jogataat_private> National Oceanographic Data Center You can't step into the same river twice. -- Herakleitos
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:55 PDT