Firewall Wizards mailing list archives
Re: strong passwords (was Radius/MS ISA stuff)
From: Barney Wolff <barney () tp databus com>
Date: Mon, 8 Jul 2002 12:32:34 -0400
You're looking at the wrong number. The Birthday Paradox means that *if you have 2^64 things* you've got about a 50:50 chance of finding two that hash to the same value. But you still have to look at about 2^127 things to find one with a hash equal to a desired one. You're much wiser to attack the password itself than MD5. CHAP demands good passwords. As a practical matter, that means a random system-assigned password, kept on the client's computer, rather than a user-chosen password. If the client's computer has been hacked, the keystroke monitor will capture a user-entered password, no matter how good, so there's little added risk in letting the computer keep it. The trouble with letting the ISP accept any <joeshmo () bigcorp com> and doing the real authentication later via IPsec or equivalent is that there is no standard way for bigcorp's authentication server to then tell the ISP to disconnect the caller. On Mon, Jul 08, 2002 at 11:40:14AM -0400, Paul Robertson wrote:
Ha! 2^64 is the "strength" of MD5 given collisions, methinkis the number is more significant than "just made up!" SHA1 is good for 2^128, I've always wondered why all the crypto geeks didn't go to SHA1 for password hashes.
-- Barney Wolff I never met a computer I didn't like. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Radius access from provider to internal MS ISA Server Christoph Steigmeier (Jul 04)
- Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 04)
- RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 05)
- RE: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 05)
- Re: Radius access from provider to internal MS ISA Server Kyle R. Hofmann (Jul 05)
- Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 05)
- RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 07)
- RE: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 07)
- RE: strong passwords (was Radius/MS ISA stuff) Ben Nagy (Jul 08)
- RE: strong passwords (was Radius/MS ISA stuff) Paul Robertson (Jul 08)
- Re: strong passwords (was Radius/MS ISA stuff) Barney Wolff (Jul 08)
- RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 05)
- RE: strong passwords (was Radius/MS ISA stuff) Bill Royds (Jul 08)
- Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 04)
- RE: Radius access from provider to internal MS ISA Server R. DuFresne (Jul 06)
- RE: Radius access from provider to internal MS ISA Server Bill Royds (Jul 06)
- RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 07)