Security Basics mailing list archives
Re: CISCO MD5 encryption
From: Matthew Caron <Matt.Caron () sixnet com>
Date: Wed, 23 Feb 2011 09:28:11 -0500
On 02/22/2011 12:29 PM, McCaulty x wrote:
Please excuse my ignorance...why is it unsafe to use MD5 hashing?
From a signature perspective, because researchers have managed to produce collisions.
From a password perspective, because it doesn't take long enough.Basically, given a password which is in your rainbow table or dictionary combinations:
- salted versions will take longer than unsalted versions - SHA1 will take longer than MD5 - SHA256 will take longer than SHA1In the case of rainbow tables, anything which will "take longer" will cause the table to be larger as well (because not only do you have to generate all these combinations, you need to store them as well).
Ultimately, the best way to avoid a brute force attack is to not have the password be in the dictionary being used to attack you - something semirandom like those produced by `apg` get a lot harder to break in that fashion.
This is somewhat apropos because of the recent HBGary hack: http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/ Unsalted MD5 + weak passwords used across multiple systems == p0wned. -- Matthew Caron Build Engineer Sixnet | www.sixnet.com O +1 518 877 5173 Ext. 138 F +1 518 602 9209 matt.caron () sixnet com ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- CISCO MD5 encryption César García (Feb 18)
- Re: CISCO MD5 encryption PEra (Feb 22)
- Re: CISCO MD5 encryption César García (Feb 22)
- Re: CISCO MD5 encryption Mike Hale (Feb 23)
- Re: CISCO MD5 encryption César García (Feb 22)
- Re: CISCO MD5 encryption Dan Daloia (Feb 22)
- Re: CISCO MD5 encryption Prabath Siriwardana (Feb 22)
- Re: CISCO MD5 encryption McCaulty x (Feb 22)
- Re: CISCO MD5 encryption Jeffrey Walton (Feb 23)
- Re: CISCO MD5 encryption Matthew Caron (Feb 23)
- Re: CISCO MD5 encryption Mike Hale (Feb 22)
- Re: CISCO MD5 encryption César García (Feb 22)
- Re: CISCO MD5 encryption Saif El Sherei (Feb 23)
- Re: CISCO MD5 encryption Jeffrey Walton (Feb 24)
- Re: CISCO MD5 encryption McCaulty x (Feb 22)
- Re: CISCO MD5 encryption Prabath Siriwardana (Feb 22)
- Re: CISCO MD5 encryption Mike Hale (Feb 22)
- Re: CISCO MD5 encryption Prabath Siriwardana (Feb 22)
- Re: CISCO MD5 encryption Mike Hale (Feb 22)
- Re: CISCO MD5 encryption Prabath Siriwardana (Feb 22)
- Message not available
- Re: CISCO MD5 encryption Prabath Siriwardana (Feb 22)
- Re: CISCO MD5 encryption PEra (Feb 22)