Slower Encryption
Obviously the M-209 program was far too fast.
Unix switched to the DES encryption algorithm,
which is slow when implemented in software.
The DES was implemented in the following way:
The first eight characters of user's password are used a key
to encrypt a constant (0).
Then the DES algorithm is iterated 25 times and the resulting 64 bits
are repacked to become a string of 11 printable characters.
Less Predictable Passwords
The password program was changed to urge the user to use harder passwords.
If the user enters a alphabetic password shorter than 6 characters,
or a password from a larger character set shorter than 5 characters,
then he is asked to enter a longer password.
Salted Passwords
Consider an intruder trying to gain access to as many users of as many Unix systems as possible. For each password he tries, he can check the entries of all the users in the systems. Moreover, he can compile a list of likely passwords, encrypt them, and save the results in some sorted file, so that any encrypted password can be searched easily. As new passwords are added, he can check them against his compiled list at no encryption cost.
Unix uses a technique of salted passwords that renders attacks of the above kind useless. When a password is first entered, the password program obtains a 12 bit random number (by reading the real-time clock) and appends this to the password entered by the user. The concatenated string is used as the key for encryption, and both the 12 bit random number and the result of encryption are stored in the password file. When the user later logs on to the system, the 12 bit quantity is extracted from the password file and appended to the typed password. The encrypted result is required as before to be the same as the 64-bit result of encryption stored in the password file.
Now an intruder cannot amortize the cost of one encryption over all the password entries to be searched. Moreover, a complied file of encrypted passwords has to contain 2entries for each guessed password. Thus if the intruder considers `Purdue' a good guess, he would need to encrypts all of the strings `Purdue0000'...`Purdue111'. Thus this method offers protection agains intruders who try to precompute a large number of encrypted password. However, it does not protect an individual user whose password is `Purdue'. The intruder can read the random number from the password entry for the user, append the random number to the password `Purdue', encrypt the result, and check it against the 64-bit cyphertext stored in the password file. He does not have to try all strings `Purdue0000'...`Purdue111'.
One of the side effects of this modification is that it becomes impossible to find out whether a person with passwords on several machines has used the same password on all of them. .ip "{ The Threat of the DES Chip"
As mentioned earlier,
chips are available to do the DES encryption fast (3 times as fast as software).
To prevent the use of such chips,
one of the internal tables of the DES algorithm is changed in a way that
depends on the random number.
This table is hardwired into the commercially available chip.
Obviously,
the intruder could design and build his own chip that takes the random number
as input,
but the cost would be very high.
User Names
Consider an intruder that is trying to guess both user names and passwords.
He should not be able to tell,
after an unsuccessful attempt,
which of his guesses was bad: the user name or the password.
Therefore
Unix does the encryption of the password even if an invalid user name
is typed.