1. Field of the Invention
The present invention relates mechanisms for providing security in computer systems. More specifically, the present invention relates to a method and an apparatus for implementing a pluggable password obscuring mechanism that can be reconfigured to use different obscuring techniques without having to modify source code.
2. Related Art
A computer system typically requires a user to provide a user name and a password for authentication purposes before allowing the user to access a specific account or application. The computer system verifies that the password is correct by performing a lookup based on the username in a password store that is accessible by the computer system. For security purposes, this password store is typically encrypted or otherwise obscured so that an eavesdropper or a rogue application cannot determine the passwords by simply examining the data within the password store. Note that a computer system typically does not decrypt a password during an authentication operation, but instead encrypts the password supplied by the user and then compares the newly encrypted password with an encrypted password retrieved from the password store.
As computer systems grow increasingly more powerful, existing password encryption techniques are becoming vulnerable brute force decryption techniques. For example, assuming that a password contains only characters from a subset of characters that most people use, it is possible to crack the commonly used Data Encryption Standard (DES) encryption technique in a day or two using computing resources that are available to the average undergraduate.
Because of this increased vulnerability, some system administrators would like to use stronger encryption techniques to encrypt passwords. However, it is presently not possible to modify existing systems to use a different password encryption technique without modifying source code for the operating system or application. Unfortunately, in many cases only the executable files for an operating system or application are provided, and this source code is not available.
Moreover, even if the source code can be modified for a specific computer system to produce modified executable code, the modified executable code cannot be updated using patches that are distributed to fix bugs in the original unmodified executable code.
Hence, what is needed is a method and an apparatus that allows a password encryption technique to be modified without having to modify source code.