Date: Tue, 02 Jun 2026 13:26:56 +0000 From: bugzilla-noreply@freebsd.org To: wireless@FreeBSD.org Subject: [Bug 272902] Security: allow passphrases for WPA-EAP to be saved without using clear text Message-ID: <bug-272902-21060-rrasVzHkSP@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-272902-21060@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272902 Alexander Ziaee <ziaee@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |Not Accepted Status|Open |Closed --- Comment #12 from Alexander Ziaee <ziaee@FreeBSD.org> --- Thank you for the proposal. We will not be implementing support for MD4-hashed passphrases or adding them to our documentation. 1. MD4 has been completely insecure for three decades. Research in 2007 demonstrates that collisions can be found in as few as two hash operations [0]. Recommending a broken cryptographic primitive provides a false sense of security while offering zero protection. 2. Storing a passphrase in a file restricted to root read-access is standard practice. This is structurally different from a browser storing passwords in unprivileged memory. To read this file, an attacker must already possess root privileges. If an attacker has root access, the system is entirely compromised, and an MD4 hash provides zero additional protection. We will not publish documentation that directs operators to implement known security vulnerabilities. If you come across any remaining MD4 or MD5 references in our current documentation, please let us know so we can remove them. [0]: https://www.iacr.org/archive/fse2007/45930331/45930331.pdf -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272902-21060-rrasVzHkSP>