Date: Sun, 30 Dec 2001 00:02:48 -0600 From: "Jacques A. Vidrine" <n@nectar.cc> To: Allen Landsidel <all@biosys.net> Cc: Rik <freebsd-security@rikrose.net>, Ryan Thompson <ryan@sasknow.com>, freebsd-security@FreeBSD.ORG Subject: Re: MD5 password salt calculation Message-ID: <20011230060248.GA80453@madman.nectar.cc> In-Reply-To: <5.1.0.14.0.20011230002742.00afd4b8@rfnj.org> References: <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> <20011229133456.J99302-100000@catalyst.sasknow.net> <20011229133456.J99302-100000@catalyst.sasknow.net> <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> <5.1.0.14.0.20011230002742.00afd4b8@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 30, 2001 at 12:58:08AM -0500, Allen Landsidel wrote: > Using something like strftime(3) defeats this, depending on the format used > in the call. If you have 256 possible salts, then an attacker may be > dissuaded from generating the lookup. Actually, even really isn't enough salt, and is one of the several problems with the traditional UNIX crypt scheme. > If you only have 24 (say strftime > was called to generate a normal human-readable time, and the two characters > for the hour were used) then the purpose behind the salt is entirely > defeated, and may as well be left off just to make the code cleaner. Yes, that would be bad. But that's not what the original poster described. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011230060248.GA80453>