From owner-freebsd-security  Tue Jun 15  0: 0:14 1999
Delivered-To: freebsd-security@freebsd.org
Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247])
	by hub.freebsd.org (Postfix) with ESMTP id CCD9915434
	for <freebsd-security@freebsd.org>; Tue, 15 Jun 1999 00:00:09 -0700 (PDT)
	(envelope-from kkennawa@physics.adelaide.edu.au)
Received: from bragg (bragg [129.127.36.34])
	by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id QAA27062;
	Tue, 15 Jun 1999 16:30:08 +0930 (CST)
Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM)
	id AA09054; Tue, 15 Jun 1999 16:31:23 +0930
Date: Tue, 15 Jun 1999 16:31:22 +0930 (CST)
From: Kris Kennaway <kkennawa@physics.adelaide.edu.au>
X-Sender: kkennawa@bragg
To: Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc: Warner Losh <imp@harmony.village.org>, Holtor <holtor@yahoo.com>,
	freebsd-security@freebsd.org
Subject: Re: DES & MD5? 
In-Reply-To: <5182.929429344@critter.freebsd.dk>
Message-Id: <Pine.OSF.4.10.9906151628010.1783-100000@bragg>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 15 Jun 1999, Poul-Henning Kamp wrote:

> >Are you using yp? If not, then there likely isn't much difference
> >between the two.  MD5 was used as a replacement for DES when the des
> >routines were export controlled.  Since no one but root can grab the
> >encrypted passwords, you'll gain nothing by moving from one to the
> >other.
> 
> Uhm, sorry Warner, but that is not true.  A brute force attack on
> MD5 is many orders of magnitude slower than on DES.

Warner's point, I believe, was that without using YP there's no easy way to
get at the encrypted passwords and thereby brute-force them. With YP (or
equivalently, some other bug/exploit which exposes the password file) then the
properties of your hash function does matter.

In reality of course, it's better to be safe and use strong password methods
even when they 'should' not be needed by virtue of the password file being
hidden.

Kris

> 
> --
> Poul-Henning Kamp             FreeBSD coreteam member
> phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
> FreeBSD -- It will take a long time before progress goes too far!
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 

-----
"Never criticize anybody until you have walked a mile in their shoes,
because by that time you will be a mile away and have their shoes."
    -- Unknown



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message