Re: use SHA1 or SHA256 instead of MD5 for /etc/shadow ?

Unruh wrote:
Peter Pearson <ppearson@xxxxxxxxxxxxxxx> writes:

On Sun, 27 Jan 2008 05:01:53 GMT, Reid Fleming wrote:
With rainbow tables for MD5 now available out there, is it possible to
use SHA1 or SHA256 instead of MD5 in /etc/shadow? If not, is somebody
working on it?

Since you refer to /etc/shadow, you're probably talking about
Unix or Linux login, in which case your system is almost certainly
using salt, in which case rainbow tables are not a concern.

Furthermore, usnix/linux does not use a straight md5 hash. It uses a god
awful mixture of things, including md5 many many time, but oether mangling
as well, including salts.

Substituting in straight SHA1 is liable to make it worse not better.

To see the method used by the shadow suite see:

Not you can use SHA-X (where X=256, 384, or 512) if you want using
the same mechanism as is used for MD5. This might make your
system marginally more secure. But practically speaking, MD5
is likely to be adequate protection for many years to come.