From nobody@FreeBSD.org  Sun May 15 03:07:33 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1DC5D106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 15 May 2011 03:07:33 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 0DDAE8FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 15 May 2011 03:07:33 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p4F37WQM056461
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 15 May 2011 03:07:32 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p4F37WwG056460;
	Sun, 15 May 2011 03:07:32 GMT
	(envelope-from nobody)
Message-Id: <201105150307.p4F37WwG056460@red.freebsd.org>
Date: Sun, 15 May 2011 03:07:32 GMT
From: Jeffrey Walton <noloader@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: FreeBSD Handbook: Chapter 14 (Security) Inaccuracy
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         157049
>Category:       docs
>Synopsis:       FreeBSD Handbook: Chapter 14 (Security) Inaccuracy
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    trhodes
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 15 03:10:12 UTC 2011
>Closed-Date:    
>Last-Modified:  Mon Feb 03 19:07:04 UTC 2014
>Originator:     Jeffrey Walton
>Release:        Apple's Flavor
>Organization:
None
>Environment:
Darwin newton 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i38
>Description:
From the FreeBSD Handbook (http://www.freebsd.org/doc/en/books/handbook/crypt.html):

14.4 DES, Blowfish, MD5, and Crypt
    ...
    Unfortunately the only secure way to encrypt passwords when
    UNIX came into being was based on DES, the Data Encryption
    Standard.

I believe the above is not accurate. According to Password Security: A Case History [1], Morris and Thompson write in their PROLOGUE:

    The UNIX system was first implemented with a password file
    that contained the actual passwords of all the users....

Later, under THE FIRST SCHEME, Morris and Thompson write:

    A convenient and rather good encryption program happened to
    exist on the system at the time; it simulated the M-209 cipher
    machine used by the U.S. Army during World War II. It turned
    out that the M-209 program was usable, but with a given key,
    the ciphers produced by this program are trivial to invert. ...
    the password was used not as the text to be encrypted but as
    the key, and a constant was encrypted using this key.

I'm a big fan of history, and others might also find Morris and Thompson's history of the Unix password system interesting.

Jeffrey Walton
Baltimore, MD, US

[1] www.cs.bell-labs.com/who/dmr/passwd.ps


>How-To-Repeat:
N/A
>Fix:
N/A

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->trhodes 
Responsible-Changed-By: trhodes 
Responsible-Changed-When: Mon Feb 3 19:06:44 UTC 2014 
Responsible-Changed-Why:  
Take this PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157049 
>Unformatted:
