QNX / iOpener passwd() broken

Posted 15 Apr 2000 at 22:47 UTC by advogato

It looks like QNX decided to implement their own passwd() algorithm instead of using the standard Unix version. As is often the case with home-brewed, non-peer-reviewed crypto, it is totally insecure. Source code to break it is on www.i-opener-linux.net.

This apparently affects the Netpliance iOpener, as well as probably most other QNX-based devices. Quite a number of nontrivial passwords have been posted already.

This isn't really a free software story (my apologies if readers find it off-topic), but it does highlight one of the serious risks of not using free software. Obviously, a fiasco like this would never happen with Linux or any of the BSD variants.

Thanks to Peter Gutmann for posting a heads-up to cypherpunks.

not a free software issue, posted 15 Apr 2000 at 23:16 UTC by splork » (Master)

Using well known, field tested crypto and hashing algorithms is the issue. Free software is merely one way that could prevent wannabe algorithm from ever being used.

Unfortunate, posted 17 Apr 2000 at 02:31 UTC by djm » (Master)

It is sad that companies are _still_ trying to "roll their own" crypto when excellent algorithms and protocols are proven and Freely available.

I can understand their aversion to Unix crypt() though. It is an algorithm well past its time. They should have used OpenBSD's blowfish password system which is close to future-proof.

FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!