RE: SHA-1 vs. triple-DES for password encryption?

From: Jonathan Wilkins (jwilkins@microsoft.com)
Date: 11/11/02


Date: Mon, 11 Nov 2002 10:36:23 -0800
From: "Jonathan Wilkins" <jwilkins@microsoft.com>
To: "David Wagner" <daw@mozart.cs.berkeley.edu>, <secprog@securityfocus.com>

Speed is not desirable for password hashes. The faster you can
generate a hash, the faster a brute force attack is. MD5 is a
poor choice. Use SHA-1.

Even better, use multiple rounds of SHA-1.

For a demonstration MD5 brute force password cracker check out
MDCrack at http://membres.lycos.fr/mdcrack/index2.html
It can do in excess of 2 million attempts per second..

> -----Original Message-----
> From: David Wagner [mailto:daw@mozart.cs.berkeley.edu]
> Sent: Monday, November 11, 2002 8:33 AM
> To: secprog@securityfocus.com
> Subject: Re: SHA-1 vs. triple-DES for password encryption?
>
>
> Oscar Batyrbaev wrote:
> >1. truncating to 8 bytes will increase the hazard from the
> "birthday" paradox;
> >Thus The risk is not 2^64 as was suggested earlier but about
> 2^32 that the
> >birthday attack succeeds with probability 0.5 or 50%. The
> risk is too high even
> >when you deal with passwords.
>
> This is completely wrong. Birthday attacks are basically irrelevant
> when we hash passwords. Hint: the Unix password hash has only 64 bits
> of output; have you ever seen anyone use a birthday attack on it?
>
> >2. Why not use MD5? It is significantly faster (about 5 times) than
> >SHA-1 and [...]
>
> This is bad advice. Almost all cryptographers I know recommend using
> SHA-1 over MD5 in new designers, where possible.
>



Relevant Pages

  • Re: Hashing of short fixed length messages
    ... You actually have 55 bytes of useful payload before MD5 requires a 2nd ... to present a traditional hash interface since the ... The input itself is a hash too, so I can ignore related key attack, ... to a speed-up factor of two, but I don't think it's secure. ...
    (sci.crypt)
  • Re: The answers: Lost password + MD5 ?
    ... than the brute-force attack of 2**80 operations based on the hash length. ... This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, ... We wondered if storing passwords hashed as MD5 was safe. ... > (That is called a collision, ...
    (comp.lang.php)
  • Re: Lost password + MD5 ?
    ... >> hash M, and being able to produce a different plaintext B that has the ... which MD5 attack are you referring to? ...
    (comp.lang.php)
  • Re: RSA signing security
    ... and I'll be looking for collisions between ... exploit the flaws in MD5 to work towards believable plaintexts. ... my suspicion is that this attack would allow my ... a given hash, or the same hash as a given message (or one of a number ...
    (sci.crypt)
  • Re: Can anyone break MD5 scheme?
    ... however I have heard rumors that some implementations are ... Brute force is the least efficient attack against MD5, ...
    (Security-Basics)