Double crypt strength

[Rick Osborne <osborne@gateway.grumman.com>]

I am curious as to the strength of Un*x crypt when used upon itself.  I was
thinking of was to obfuscate passwords and a few came to mind (obviously
not original):
1. Use a hashed passphrase.
2. Encrypt your original password and then used that as your password.  (Or
triple, quadruple, ad inifinitum...)

Re #1: I know that a good hash will take a pass phrase and reduce it to a
statistically random sequence.  I'm not intending to use the hash for
verfication, but for two reasons:
1. Get a nice random jumble
2. Come out with something shorter than I came in with.

Re #2: This I thought might help spoil a dictionary attack.  Granted, if
the attacker knows that you are doing this, it only adds one step in his
process, but if he doesn't it turns his attack into plain brute force.
Plus, for Un*x users, it's right there on the command line and only adds a
few seconds to the entire procees of changing passwords.

The added benefit with both of these is that the user does not have to
remember some cryptic string, but can remember his normal password/phrase.
By this, it is obviously not a commercial-use scheme, but one for
individual users.  (If everyone used the same algorithm, it'd be kinda
pointless, right?)  So with everyone (hashing down/reencrypting) their
(passphrases/passwords) with different algorithms, all attacks are reduced
to brute force.  Either that, or the attacker has to figure out what
algorithm the user used, still making a dictionary attack that much harder.

So what are the comments on a system like this?  Obviously, they are not
original ideas, but I would like to know what has been said about them.


Rick Osborne / osborne@gateway.grumman.com / Northrop Grumman Corporation
-------------------------------------------------------------------------
What the hell, it's only 4 month's grant - I can live in a cardboard box,
and catch pigeons for food. After all, I've got raytracing to do!