Re: use SHA1 or SHA256 instead of MD5 for /etc/shadow ?



Unruh wrote:
Peter Pearson <ppearson@xxxxxxxxxxxxxxx> writes:

On Sun, 27 Jan 2008 05:01:53 GMT, Reid Fleming wrote:
With rainbow tables for MD5 now available out there, is it possible to
use SHA1 or SHA256 instead of MD5 in /etc/shadow? If not, is somebody
working on it?

Since you refer to /etc/shadow, you're probably talking about
Unix or Linux login, in which case your system is almost certainly
using salt, in which case rainbow tables are not a concern.

Furthermore, usnix/linux does not use a straight md5 hash. It uses a god
awful mixture of things, including md5 many many time, but oether mangling
as well, including salts.

Substituting in straight SHA1 is liable to make it worse not better.

To see the method used by the shadow suite see:

http://www.hccfl.edu/pollock/AUnix3/PasswordSecurity.htm#MD5passwords

Not you can use SHA-X (where X=256, 384, or 512) if you want using
the same mechanism as is used for MD5. This might make your
system marginally more secure. But practically speaking, MD5
is likely to be adequate protection for many years to come.

-Wayne
.



Relevant Pages

  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... MD5 is not broken. ... Any of these one way hashes still needs a salt combined with it. ...
    (comp.lang.php)
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... The fix is to add a salt to thwart the rainbow tables and a have the ... Oh and BTW, never use MD5 for anything security related, it is broken ...
    (comp.lang.php)
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... MD5 is not broken. ... Any of these one way hashes still needs a salt combined with it. ...
    (comp.lang.php)
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... MD5 is not broken. ... Any of these one way hashes still needs a salt combined with it. ...
    (comp.lang.php)
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... Oh and BTW, never use MD5 for anything security related, it is broken ... Any of these one way hashes still needs a salt combined with it. ...
    (comp.lang.php)