RE: SHA-1 vs. triple-DES for password encryption?

From: Jonathan Wilkins (jwilkins@microsoft.com)
Date: 11/11/02


Date: Mon, 11 Nov 2002 10:36:23 -0800
From: "Jonathan Wilkins" <jwilkins@microsoft.com>
To: "David Wagner" <daw@mozart.cs.berkeley.edu>, <secprog@securityfocus.com>

Speed is not desirable for password hashes. The faster you can
generate a hash, the faster a brute force attack is. MD5 is a
poor choice. Use SHA-1.

Even better, use multiple rounds of SHA-1.

For a demonstration MD5 brute force password cracker check out
MDCrack at http://membres.lycos.fr/mdcrack/index2.html
It can do in excess of 2 million attempts per second..

> -----Original Message-----
> From: David Wagner [mailto:daw@mozart.cs.berkeley.edu]
> Sent: Monday, November 11, 2002 8:33 AM
> To: secprog@securityfocus.com
> Subject: Re: SHA-1 vs. triple-DES for password encryption?
>
>
> Oscar Batyrbaev wrote:
> >1. truncating to 8 bytes will increase the hazard from the
> "birthday" paradox;
> >Thus The risk is not 2^64 as was suggested earlier but about
> 2^32 that the
> >birthday attack succeeds with probability 0.5 or 50%. The
> risk is too high even
> >when you deal with passwords.
>
> This is completely wrong. Birthday attacks are basically irrelevant
> when we hash passwords. Hint: the Unix password hash has only 64 bits
> of output; have you ever seen anyone use a birthday attack on it?
>
> >2. Why not use MD5? It is significantly faster (about 5 times) than
> >SHA-1 and [...]
>
> This is bad advice. Almost all cryptographers I know recommend using
> SHA-1 over MD5 in new designers, where possible.
>