On Thu, Jul 05, 2001 at 12:33:19PM -0500, Jay Kline wrote: > Someone correct me if I am wrong, but doesn't the crypt() function do some > seeding which will not allow the same shadow file to exist on more than one > machine (or 2 different installs on the same machine)? I could be way off > in left field on this, but I thought that was part of the reason shadow was > more secure. You're wrong. If you were correct, NIS and shadow couldn't work together, but they get along just fine. What you're probably thinking of is "salt". It's a pair of characters fed into crypt() along with the password which modifies the result. Password implementations that use salt typically include it as the first two characters of the password hash, so that it will be available when the password is checked. (It may seem pointless to use salt if you're just going to tell the world what salt you added, but it isn't. Without salt, a dictionary attack could just run "secret" through crypt and check the resulting hash against the entire password database to see whether anyone had it as their password. With salt, the attacker needs to re-crypt candidate passwords for each user (or group of users with the same salt), which prevents him obtaining any economies of scale by choosing to brute-force a larger password file.)