CVE-2012-3287: md5crypt is no longer considered safe

---

• From: phk@xxxxxxxxxxx
• Date: Fri, 8 Jun 2012 00:04:49 GMT

---

The LinkedIn password incompetence has resulted in a number of "just use md5crypt and you'll be fine" pieces of advice on the net.

Since I no longer consider this to be the case, I have issued an official statement, as the author of md5crypt, to the opposite effect:

http://phk.freebsd.dk/sagas/md5crypt_eol.html

Please find something better now.

Thanks for using my code.

Poul-Henning Kamp

---

• Follow-Ups:
  • Re: CVE-2012-3287: md5crypt is no longer considered safe
    • From: Solar Designer

• Prev by Date: [SECURITY] [DSA 2480-3] request-tracker3.8 regression update
• Next by Date: Re: Mybb 1.6.8 Sql Injection Vulnerabilitiy
• Previous by thread: [SECURITY] [DSA 2480-3] request-tracker3.8 regression update
• Next by thread: Re: CVE-2012-3287: md5crypt is no longer considered safe
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2012-06