Bugtraq mailing list archives
Re: passwd hashing algorithm
From: perry () imsi com (Perry E. Metzger)
Date: Fri, 14 Apr 1995 20:21:28 -0400
Rick Busdiecker says:
From: Adam Shostack <adam () bwh harvard edu>
Date: Thu, 13 Apr 1995 13:23:03 -0400 (EDT)
Doing to 3des means you (roughly) triple the attack time, which
means that in about 2 years, we'll be back where we are today.
This does not fit with my understanding of 3DES. I thought that 3DES
effectively tripled the key size, i. e. you have to derive three DES
keys simultaneously in order to crack.
The point is, however, that DES isn't used in crypt(3) as a cipher but as a weird hash function over an eight byte value, the password, and you aren't increasing this password's size so you aren't really improving the situation. Changing things so that the password could be much longer would actually help, however. A salted MD5 or SHA of a much longer passphrase space WOULD be more secure because brute force searches would actually be harder. Perry
Current thread:
- Re: UUCP/sendmail configs.. der Mouse (Apr 10)
- Re: UUCP/sendmail configs.. Dave Williss (Apr 11)
- Sendmail 5.65? David Cohen (Apr 11)
- Re: UUCP/sendmail configs.. Mark (Apr 12)
- passwd hashing algorithm Dave Stagner (Apr 13)
- Re: passwd hashing algorithm Adam Shostack (Apr 13)
- Re: passwd hashing algorithm Casper Dik (Apr 14)
- Re: passwd hashing algorithm Rick Busdiecker (Apr 14)
- Re: passwd hashing algorithm Adam Shostack (Apr 14)
- Re: passwd hashing algorithm Perry E. Metzger (Apr 14)
- I wanna get a mailing list... Kim Whi-kang (Apr 15)
- Re: passwd hashing algorithm Robert M. Haas (Apr 15)
- Re: UUCP/sendmail configs.. Dave Williss (Apr 11)