Vulnerability Development mailing list archives
Re: OpenSSH Password Question
From: Bennett Todd <bet () RAHUL NET>
Date: Sun, 10 Dec 2000 22:22:59 -0500
2000-12-10-08:20:39 Bluefish (P.Magnusson):
As a minor comment, I've heard some people (not in this ml) complain about the fact that old fashion unix cuts passwords and think it would be a great idea to update the old crypt to support longer DES passwords.
On lots of platforms this has been done, incidentally also replacing the old DES with a newer hash (various platforms use various newer hashes) that can hash more bits. DES remains in use mostly just where backward compat with existing crypted passwords remains important, or where there's really wretched, loathesome sludge sqooged all through the system where nothing short of a complete nuke and rebuild, which will never be done, will stand a chance of rooting it all out (NIS).
Assume you use strong passwords with a-zA-Z0-9 and 8 characters long passwords. You get 36^8 possible different passwords, [...]
a-zA-Z0-9 is 62, no? So it'd be 62^8?
which are hashed into a 2^40 bit DES hash.
Whoops, DES's input is 56 bits, but the output of the hash is 64. 40 bits only shows up when someone deliberately cripples DES, typically by wiring some of the key bits to something they know. Whenever I hear about people doing that sort of thing, I get this image of Woody Allen as Jimmy Bond in Casino Royale.
But 36^8 / 2^40 = 2.6, meaning that each checksum have multiple matches.
Since the question was passwords _longer_ than 8 characters, you can still make this sort of math work out; say instead that 62^10 / 2^56 ~= 11.65.
The hash is no longer able to improve security.
But _that's_ not true, not true at all. As long as people pick passwords from small alphabets, and with strong digraph and trigraph correlation --- as long as the typical chosen user password entropy really isn't all that much better than the couple of bits/byte of normal prose --- much longer passphrases continue to buy important benefits, even if they are hashed into smaller spaces with collisions.
Thats why we use MD5 instead :)
Don't get me wrong. MD5 is a better choice. SHA-1 is likely better still. But the possibly-improved cryptosystem, with the definitely-improved number of bits, is very much secondary to the ability to use longer passphrases; a DES trick that simply took the extra text and xor-ed it in the second time through, or some such, would be far, far stronger than the classic truncate-at-8, and would retain backward (and partial forward) compatibility. I.e. passwords 8 chars or less would work identically. If anybody has got a setup that has something like NIS wired inextricably into it, you might want to give this a ponder. Oh, and BTW, DES's keysize reflects the design practice of providing eight bytes of key material, and discarding their parity bits, so if users could pick 8-character passwords including all ASCII control characters as well as all ASCII printables, from NUL through DEL (0x7F), they'd exactly cover the DES keyspace. -Bennett
Attachment:
_bin
Description:
Current thread:
- OpenSSH Password Question Erik Tayler (Dec 09)
- Re: OpenSSH Password Question Gordon Messmer (Dec 09)
- Re: OpenSSH Password Question White Vampire (Dec 10)
- Re: OpenSSH Password Question Daniel Jacobowitz (Dec 09)
- Re: OpenSSH Password Question Bill Weiss (Dec 10)
- Re: OpenSSH Password Question Erik Tayler (Dec 10)
- Re: OpenSSH Password Question Markus Friedl (Dec 10)
- Re: OpenSSH Password Question Bluefish (P.Magnusson) (Dec 11)
- Re: OpenSSH Password Question Markus Friedl (Dec 11)
- Re: OpenSSH Password Question Bennett Todd (Dec 12)
- Re: OpenSSH Password Question Bluefish (P.Magnusson) (Dec 12)
- Re: OpenSSH Password Question Bluefish (P.Magnusson) (Dec 11)
- Re: OpenSSH Password Question Gordon Messmer (Dec 09)
- <Possible follow-ups>
- Re: OpenSSH Password Question Vitaly McLain (Dec 10)
- Re: OpenSSH Password Question Matt Rose (Dec 10)
- Re: OpenSSH Password Question Vitaly McLain (Dec 11)
- Re: OpenSSH Password Question Matt Rose (Dec 10)