It looks like QNX decided to implement their own passwd() algorithm
instead of using the standard Unix version. As is often the case with
home-brewed, non-peer-reviewed crypto, it is totally insecure. Source
code to break it is on www.i-opener-linux.net.
This apparently affects the Netpliance iOpener, as well as probably most
other QNX-based devices. Quite a number of nontrivial passwords have
This isn't really a free software story (my apologies if readers find it
off-topic), but it does highlight one of the serious risks of not
using free software. Obviously, a fiasco like this would never happen
with Linux or any of the BSD variants.
Thanks to Peter Gutmann for posting a heads-up to cypherpunks.
It is sad that companies are _still_ trying to "roll their own" crypto
when excellent algorithms and protocols are proven and Freely available.
I can understand their aversion to Unix crypt() though. It is an
algorithm well past its time. They should have used OpenBSD's
blowfish password system which is close to future-proof.