From owner-freebsd-security  Tue Jun 15  0:22:57 1999
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 63DF114D62
	for <freebsd-security@FreeBSD.ORG>; Tue, 15 Jun 1999 00:22:54 -0700 (PDT)
	(envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.1) id JAA28428;
	Tue, 15 Jun 1999 09:22:09 +0200 (CEST)
	(envelope-from des)
To: Kris Kennaway <kkennawa@physics.adelaide.edu.au>
Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Warner Losh <imp@harmony.village.org>, Holtor <holtor@yahoo.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: DES & MD5?
References: <Pine.OSF.4.10.9906151628010.1783-100000@bragg>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 15 Jun 1999 09:22:08 +0200
In-Reply-To: Kris Kennaway's message of "Tue, 15 Jun 1999 16:31:22 +0930 (CST)"
Message-ID: <xzp7lp6exnj.fsf@flood.ping.uio.no>
Lines: 11
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Kris Kennaway <kkennawa@physics.adelaide.edu.au> writes:
> Warner's point, I believe, was that without using YP there's no easy way to
> get at the encrypted passwords and thereby brute-force them. With YP (or
> equivalently, some other bug/exploit which exposes the password file) then the
> properties of your hash function does matter.

Always assume the bad guys have your password files.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message