Bugtraq mailing list archives
Re: passwd hashing algorithm
From: adam () bwh harvard edu (Adam Shostack)
Date: Thu, 13 Apr 1995 13:23:03 -0400 (EDT)
I think you're off base. :) The weakness involves the speed with which you can des data. Doing to 3des means you (roughly) triple the attack time, which means that in about 2 years, we'll be back where we are today. Remember that Crack doesn't really crack passwords, it just tries to send in lots of passwords, and see when the output matches. What you want is a strong authenticating function; something that the user can do to demonstrate identity (and possibly possession) to a server. I doubt that reusable passwords are up to the task, unless you're using some solid encryption client. If you're going to build a smart client, you might as well build in smart authentication. Adam | So what we're left with is replacing crypt() with something decently | strong. How about triple DES? At this point in the game, triple DES | seems as strong as anything available, and certainly far stronger than | the existing scheme. It also would not change the length of the | passwords on file or the basic authentication mechanism. Of course, | this still doesn't solve the problem of weak passwords (which is still | a basic attack mechanism for crack), but it would make | minimum-password schemes much more effective, and increase the value | of good passwords substantially. | | Someone tell me if I'm completely off-base here. -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Re: UUCP/sendmail configs.. der Mouse (Apr 10)
- Re: UUCP/sendmail configs.. Dave Williss (Apr 11)
- Sendmail 5.65? David Cohen (Apr 11)
- Re: UUCP/sendmail configs.. Mark (Apr 12)
- passwd hashing algorithm Dave Stagner (Apr 13)
- Re: passwd hashing algorithm Adam Shostack (Apr 13)
- Re: passwd hashing algorithm Casper Dik (Apr 14)
- Re: passwd hashing algorithm Rick Busdiecker (Apr 14)
- Re: passwd hashing algorithm Adam Shostack (Apr 14)
- Re: passwd hashing algorithm Perry E. Metzger (Apr 14)
- I wanna get a mailing list... Kim Whi-kang (Apr 15)
- Re: passwd hashing algorithm Robert M. Haas (Apr 15)
- Re: UUCP/sendmail configs.. Dave Williss (Apr 11)