Re: MD5 password salt calculation
From: Jacques A. Vidrine (n@nectar.cc)
Date: 12/30/01
- Next message: Bill Vermillion: "Re: MS5 password salt calculation"
- Previous message: Allen Landsidel: "Re: MD5 password salt calculation"
- In reply to: Allen Landsidel: "Re: MD5 password salt calculation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 30 Dec 2001 00:02:48 -0600 From: "Jacques A. Vidrine" <n@nectar.cc> To: Allen Landsidel <all@biosys.net>
On Sun, Dec 30, 2001 at 12:58:08AM -0500, Allen Landsidel wrote:
> Using something like strftime(3) defeats this, depending on the format used
> in the call. If you have 256 possible salts, then an attacker may be
> dissuaded from generating the lookup.
Actually, even really isn't enough salt, and is one of the several
problems with the traditional UNIX crypt scheme.
> If you only have 24 (say strftime
> was called to generate a normal human-readable time, and the two characters
> for the hour were used) then the purpose behind the salt is entirely
> defeated, and may as well be left off just to make the code cleaner.
Yes, that would be bad. But that's not what the original poster
described.
Cheers,
-- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Bill Vermillion: "Re: MS5 password salt calculation"
- Previous message: Allen Landsidel: "Re: MD5 password salt calculation"
- In reply to: Allen Landsidel: "Re: MD5 password salt calculation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
