Bugtraq mailing list archives
Re: Digital Unix 4 protected password database.
From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Wed, 10 Mar 1999 17:44:40 -0500
I once posted a better algorithm than this [...]... but it never got adopted, and anyway, MD5 or SHA1 is a much better bet.
Years ago, I did an MD5-based crypt(3) for NetBSD. I've been using it ever since. I believe it is significantly better for several reasons. One, of course, is that it's nonstandard and hence not vulnerable to stock crack-alikes - but quite aside from that, it has benefits: - MD5 is of clearer US export status than DES (even encryption-only DES engines can be used for data secrecy if you use CFB or OFB). - The salt is large enough for the foreseeable future (128 bits). - The round count is a parameter and is stored as part of the hash (meaning, there's no compatability issue involved with raising this as CPUs get faster). - The hash format is extensible (it begins with a version number). Of course, *any* hash except the "standard" traditional one may introduce compatability problems if it's shared with NIS (nee YP) or moral equivalent. I will be happy to send a copy of the code, or a text description of the algorithm, to anyone who wants one. der Mouse mouse () rodents montreal qc ca 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Re: Digital Unix 4 protected password database. Darren J Moffat - Enterprise Services OS Product Support Group (Mar 10)
- <Possible follow-ups>
- Re: Digital Unix 4 protected password database. der Mouse (Mar 10)
- New Security Vulnerability in WinNT Alexandre Stervinou (Mar 12)
- Re: Digital Unix 4 protected password database. Tim Pierce (Mar 12)
- Re: Digital Unix 4 protected password database. Nate Lawson (Mar 12)
- Re: Digital Unix 4 protected password database. Alec Muffett (Mar 15)
- Re: Digital Unix 4 protected password database. Alec Muffett (Mar 16)