RE: SHA-1 vs. triple-DES for password encryption?

From: Jonathan Wilkins (
Date: 11/11/02

Date: Mon, 11 Nov 2002 10:36:23 -0800
From: "Jonathan Wilkins" <>
To: "David Wagner" <>, <>

Speed is not desirable for password hashes. The faster you can
generate a hash, the faster a brute force attack is. MD5 is a
poor choice. Use SHA-1.

Even better, use multiple rounds of SHA-1.

For a demonstration MD5 brute force password cracker check out
MDCrack at
It can do in excess of 2 million attempts per second..

> -----Original Message-----
> From: David Wagner []
> Sent: Monday, November 11, 2002 8:33 AM
> To:
> Subject: Re: SHA-1 vs. triple-DES for password encryption?
> Oscar Batyrbaev wrote:
> >1. truncating to 8 bytes will increase the hazard from the
> "birthday" paradox;
> >Thus The risk is not 2^64 as was suggested earlier but about
> 2^32 that the
> >birthday attack succeeds with probability 0.5 or 50%. The
> risk is too high even
> >when you deal with passwords.
> This is completely wrong. Birthday attacks are basically irrelevant
> when we hash passwords. Hint: the Unix password hash has only 64 bits
> of output; have you ever seen anyone use a birthday attack on it?
> >2. Why not use MD5? It is significantly faster (about 5 times) than
> >SHA-1 and [...]
> This is bad advice. Almost all cryptographers I know recommend using
> SHA-1 over MD5 in new designers, where possible.