Bugtraq mailing list archives
Re: passwd hashing algorithm
From: casper () fwi uva nl (Casper Dik)
Date: Fri, 14 Apr 1995 12:32:45 +0200
I think you're off base. :) The weakness involves the speed with which you can des data. Doing to 3des means you (roughly) triple the attack time, which means that in about 2 years, we'll be back where we are today. Remember that Crack doesn't really crack passwords, it just tries to send in lots of passwords, and see when the output matches.
Using triple des for instead does not increase crack time at all. crypt(3) is 25-fold des, so triple des would give an 8-fold increase in crack speed. Using triple des will severely weaken the password algorithm. (Note that the crypt(3) algorithm doesn't "encrypt" the password, it uses the passowrd to encrypt an all 0 bits plain text 25 times with a lightly modified des.)
What you want is a strong authenticating function; something that the user can do to demonstrate identity (and possibly possession) to a server. I doubt that reusable passwords are up to the task, unless you're using some solid encryption client. If you're going to build a smart client, you might as well build in smart authentication.
Correct. Challenge/response systems are probably best, as they need not require the remote terminal to have any intelligence at all. You need to carry your "challenge responder (token card, skey list)" with you though. Running encrypted sessions over the internet will require much more from the remote end. And it'll require some form of cooperation from the authorities. Casper
Current thread:
- Re: UUCP/sendmail configs.. der Mouse (Apr 10)
- Re: UUCP/sendmail configs.. Dave Williss (Apr 11)
- Sendmail 5.65? David Cohen (Apr 11)
- Re: UUCP/sendmail configs.. Mark (Apr 12)
- passwd hashing algorithm Dave Stagner (Apr 13)
- Re: passwd hashing algorithm Adam Shostack (Apr 13)
- Re: passwd hashing algorithm Casper Dik (Apr 14)
- Re: passwd hashing algorithm Rick Busdiecker (Apr 14)
- Re: passwd hashing algorithm Adam Shostack (Apr 14)
- Re: passwd hashing algorithm Perry E. Metzger (Apr 14)
- I wanna get a mailing list... Kim Whi-kang (Apr 15)
- Re: passwd hashing algorithm Robert M. Haas (Apr 15)
- Re: UUCP/sendmail configs.. Dave Williss (Apr 11)