http://qs1969.pair.com?node_id=27823


in reply to Ethics of Passwords

Well, i'm not sure if there are any algorithm pairs out there that would work, but how about a public/private key pair, where you would encrypt the passwords with the public key. To check the passwords for login, you would again re-encrypt with the public key and compare the encrypted results (similar to standard hashes, The only problem, IIRC is that public key algorithms generally don't generate the same results on the same piece of text 2 times in a row.)

If you end up with a user that can't remember their password, you just decrypt it with you private key (kept in a safe place of course). And hand it back to them.

Replies are listed 'Best First'.
RE: RE: Ethics of Passwords
by DaveHowe (Initiate) on Aug 15, 2000 at 20:49 UTC
    (similar to standard hashes, The only problem, IIRC is that public key algorithms generally don't generate the same results on the same piece of text 2 times in a row.)
       That's deliberate - most PK algorithms add a salt value to the plaintext to avoid any weaknesses due to repeat-encryption. If you just do a plain PK encryption (RSA sounds like a good idea given the patent expires in about a month) then it is repeatable (for hash purposes) and decryptable given the secret key.

       If you would rather stick with something like PGP though, you could always encrypt the password when it is changed, but keep a hash of the password as well for verification.