Bugtraq mailing list archives

Re: passwd hashing algorithm

From: watt () sware com (Charlie Watt)
Date: Thu, 20 Apr 1995 14:59:58 -0400 (EDT)


-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
 MIIBwDCCAWoCEQC43J7oZ50NWTRSVBShvvaXMA0GCSqGSIb3DQEBAgUAMFkxCzAJ
 BgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNl
 Y3VyZVdhcmUgUENBMRcwFQYDVQQLEw5FbmdpbmVlcmluZyBDQTAeFw05NDA0MDUx
 NzA2NDJaFw05NTA0MDUxNzA2NDJaMHAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9T
 ZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNlY3VyZVdhcmUgUENBMRcwFQYDVQQL
 Ew5FbmdpbmVlcmluZyBDQTEVMBMGA1UEAxMMQ2hhcmxlcyBXYXR0MFkwCgYEVQgB
 AQICAgQDSwAwSAJBDNmUqe2+nqg6iuUWzxaXegxki426RzmVNO6VHHYCV4nbo/WL
 X9a7Jn/2nWqZUK/l+RXqCHU/21Ur9jFIt4GNHhcCAwEAATANBgkqhkiG9w0BAQIF
 AANBAEY6kP5jHqK9B9PhZCCJ9mckYuKMufWr7l61LulXGwUTqFzjFC0MOYwXo5s+
 8lqrLQ7YpTzyE74pKR1cl5TAUU4=
Issuer-Certificate:
 MIIBkDCCAToCEQCFP7oDPZq0SSDfetbu5nSkMA0GCSqGSIb3DQEBAgUAMEAxCzAJ
 BgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNl
 Y3VyZVdhcmUgUENBMB4XDTk0MDQwNTE3MDQyM1oXDTk1MDQwNTE3MDQyM1owWTEL
 MAkGA1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMO
 U2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMFkwCgYEVQgB
 AQICAgADSwAwSAJBAL4Od/KxhOB6HyUbBJC2X6Ic2P0XEcGnddzJ1QEHjSFyx5qz
 n098ScMWDEJSiwrsVmQFbNvN01hkke7ZE21aG5sCAwEAATANBgkqhkiG9w0BAQIF
 AANBAIBzwWRF5SkoGAdcliVyog2caFtsPrq7lyBIp562B+ckFNderoDTc+JW+i4f
 MhnY9Q9I2KrlZV4GqcpZ+GjAeNk=
MIC-Info: RSA-MD5,RSA,
 DHXK1gFgnW4z6WhdO2LUQjoUvLZ77mAzN+XGLcckFlabwPbzIS/ulDQT3g3qpwmb
 pH67h9MMxVasMzMiPsGBYP4=

X-Sensitivity-Label: 1,CMW+3.0/SCO_2.1/sware.com,UNCLASSIFIED
X-Information-Label: 1,CMW+3.0/SCO_2.1/sware.com,UNCLASSIFIED


Charlie Watt <watt () sware com>


As you point out, a better cryptographic linkage between blocks would 
force the attacker to search the full password space for a given multiblock
password rather than break it down into separate 8 byte searches.  We will 
incoporate this into our next release.  Thanks for the feedback.


Why not just use md5 instead?

-Dave


We provide hooks into the password mechanism so that an installation
can easily insert a site specific hashing scheme.  The default mechanism
is based upon crypt() purely for marketing reasons -- that is the
way it has always been done and that is the way that most customers
feel comfortable.  It seems that "extensions" to the hash using crypt()
that work the same as standard Unix for passwords <= 8 bytes but that can 
also accommodate longer passwords is an easier sell than something perceived 
as radically new and unproven.  We do have more sophisticated customers who 
prefer to install their own algorithms.  MD5 would be a reasonable choice, 
but even it would be judged inadequate (ONLY a 16 byte password hash space!)
by some customers.

Charlie Watt
SecureWare, Inc.
-----END PRIVACY-ENHANCED MESSAGE-----

Current thread:

Re: passwd hashing algorithm, (continued)
- - - Re: passwd hashing algorithm Charlie Watt (Apr 19)
    - Re: passwd hashing algorithm Tom Fitzgerald (Apr 19)
    - Re: passwd hashing algorithm Charlie Watt (Apr 20)
    - The Dan Farmer rap Julian Assange (Apr 17)
    - Re: The Dan Farmer rap Jonathan M. Bresler (Apr 20)
    - Re: The Dan Farmer rap John Evans (Apr 20)
    - Re: The Dan Farmer rap James O Ausman (Apr 21)
    - Re: The Dan Farmer rap Aleph One (Apr 20)
    - Re: The pitiful rap Everett F Batey WA6CRE (Apr 21)
    - Re: passwd hashing algorithm Dave Sill (Apr 20)
    - Re: passwd hashing algorithm Charlie Watt (Apr 20)
    - Not really full disclosure bmanning () isi edu (Apr 22)
    - virus Erich W. Gunther (Apr 20)
    - Re: virus Leo Bicknell (Apr 22)
    - no virus, only a rumor Albert Lunde (Apr 22)
    - Re: no virus, only a rumor [good times, xxx-1] Matthew Hannigan (Apr 23)
    - Good Times Paul Robinson (Apr 24)
    - Re: virus Joshua Hosseinoff (Apr 23)
    - Re: virus eli (Apr 23)
    - The list Jon Green (Apr 23)
    - Re: passwd hashing algorithm John F. Haugh II (Apr 20)

(Thread continues...)