Bugtraq mailing list archives
Re: passwd hashing algorithm
From: newsham () aloha net (Timothy Newsham)
Date: Mon, 17 Apr 1995 08:39:48 -1000 (HST)
Too fast, it still allows dictionary attacks rather easily (yes I know that users should choose good passwords, but some won't). md5^500 (500 rounds of md5), or however many takes about 0.5 seconds on a fast
The hashing should be computationally adjusted and should be adjusted on each box to be barely tolerable. There should also be a salt value of course. An attacker shouldnt be allowed to precompute md5^(big num) and later do the (actual num - big num) md5's for your particular system.
-- Jon
Current thread:
- Re: passwd hashing algorithm don () paranoia com (Apr 13)
- Re: passwd hashing algorithm Perry E. Metzger (Apr 13)
- Re: passwd hashing algorithm Jon Peatfield (Apr 15)
- Re: passwd hashing algorithm Timothy Newsham (Apr 17)
- <Possible follow-ups>
- Re: passwd hashing algorithm Louis Taber (Apr 13)
- Re: passwd hashing algorithm maquis (Apr 14)
- Re: passwd hashing algorithm John F. Haugh II (Apr 16)
- Re: passwd hashing algorithm Charles Howes (Apr 14)
- Re: passwd hashing algorithm maquis (Apr 14)
- Re: passwd hashing algorithm der Mouse (Apr 14)
- Re: passwd hashing algorithm smb () research att com (Apr 14)
- Re: passwd hashing algorithm Dennis Glatting (Apr 15)
- Re: passwd hashing algorithm smb () research att com (Apr 16)
- Re: passwd hashing algorithm David A. Wagner (Apr 17)
- Re: passwd hashing algorithm John F. Haugh II (Apr 18)
- Re: passwd hashing algorithm David A. Wagner (Apr 17)
(Thread continues...)