Date: Fri, 14 Feb 1997 22:11:17 +0100 From: Poul-Henning Kamp <phk@critter.dk.tfs.com> To: Warner Losh <imp@village.org> Cc: Nate Williams <nate@mt.sri.com>, security@freebsd.org Subject: Re: blowfish passwords in FreeBSD Message-ID: <10478.855954677@critter.dk.tfs.com> In-Reply-To: Your message of "Fri, 14 Feb 1997 11:28:22 MST." <E0vvSMx-0002qb-00@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <E0vvSMx-0002qb-00@rover.village.org>, Warner Losh writes: >In message <199702141804.LAA00515@rocky.mt.sri.com> Nate Williams writes: >: I think DES and MD5 are enough in the default distribution. You *can* >: have too much of a good thing, and it hasn't been shown that MD5 is >: breakable, and DES is only for abackwards compatability. > >The main motivation for doing this in OpenBSD was Theo knowing people >that had broken MD5. He further asserts that many of his friends are >able to break the MD5 passwords easily by brute force. Mostly due to >the small salt space that made huge dictionary attacks possible. The space between what Theo claims and what he actually can produce when pushed is currently used to store the 98% of the universe that science can't account for. A rather quick calculation will show you that we are indeed talking >huge< dictionary attacks. Theos problem is that it has not been "seriously analysed" and that somebody has used the word "weak" in a paper about md5. >: Trying to support 3 encryption routines is loke trying to support three >: init routines. :) > >Well, that's true. We should relegate MD5 to the scrap heap then >:-). Actually, one of the features of the new sutff is a HUGE salt >sapce that make it impossible to store a dictionary on anything short >of a multiple terrabyte media. The problem isn't the size of the salt, but the quality. We should start to get the salt from /dev/random, that would >REALLY< be an improvement... -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10478.855954677>