Re: unix passwords
From: David Magda (dmagda+netnews_at_ee.ryerson.ca)
Date: 04/25/03
- Previous message: Damian Menscher: "Tripwire oddity"
- In reply to: all mail refused: "Re: unix passwords"
- Next in thread: all mail refused: "Re: unix passwords"
- Reply: all mail refused: "Re: unix passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 25 Apr 2003 08:19:20 -0400
elvis@notatla.demon.co.uk (all mail refused) writes:
> >Not much use in that. Most systems that store the password in
> >/etc/shadow these days also use the MD5 based hash and not the crypt(3)
> >based hash which John the Ripper attacks. Since the MD5 based one is
>
> John does md5 too...
Using MD5 instead of DES (which is what crypt(3) basically is)
doesn't really solve any security issues -- it just moves them into
the future.
Eventually computers will be fast enought that MD5 hashes can be
attacked just as quickly as crypt(3) ones.
The only "future proof" technique is OpenBSD's bcrypt setup:
http://www.openbsd.org/events.html#usenix99
Their paper describing the techinque is at:
http://www.openbsd.org/papers/bcrypt-paper.ps
Really quite an ingenious way of doing things.
-- David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/ Because the innovator has for enemies all those who have done well under the old conditions, and lukewarm defenders in those who may do well under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
- Previous message: Damian Menscher: "Tripwire oddity"
- In reply to: all mail refused: "Re: unix passwords"
- Next in thread: all mail refused: "Re: unix passwords"
- Reply: all mail refused: "Re: unix passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
