Date: Tue, 15 Jun 1999 14:29:10 -0700 From: Gregory Sutter <gsutter@pobox.com> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: Warner Losh <imp@harmony.village.org>, Holtor <holtor@yahoo.com>, freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? Message-ID: <19990615142910.V37775@001101.zer0.org> In-Reply-To: <7661.929481131@critter.freebsd.dk>; from Poul-Henning Kamp on Tue, Jun 15, 1999 at 11:12:11PM %2B0200 References: <19990615135003.U37775@001101.zer0.org> <7661.929481131@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 15, 1999 at 11:12:11PM +0200, Poul-Henning Kamp wrote: > In message <19990615135003.U37775@001101.zer0.org>, Gregory Sutter writes: > >On Tue, Jun 15, 1999 at 08:49:04AM +0200, Poul-Henning Kamp wrote: > >> > >> Uhm, sorry Warner, but that is not true. A brute force attack on > >> MD5 is many orders of magnitude slower than on DES. > > > >At USENIX, Niels Provos and David Mazieres presented a paper entitled > >"A Future-Adaptable Password Scheme", in which they described two > >algorithms with adaptable cost, > > In my opinion the most important thing is to realize that scrambled > passwords are cheap to replace, and therefore a "kleenex" principle > can be applied to the protection. That may not be the case for every installation, Poul. > That said I'm sure their algorithm is at least as good, and quite > likely much better than the MD5 based one that I wrote, but the > important thing is the '$1$' at the front of the password which > will allow us to change the entire thing at moments notice: > > Install new libcrypt ("$2$", or "$3$" or whatever) > Set all passwords to expire in 1hour/day/week/month/year > Tell your users that they havn't changed their password > for too long This is supported. Under OpenBSD (the only place where bcrypt is currently implemented), the version identifier for bcrypt is "$2a$". Password hashes can still be changed just as easily as with MD5. Greg -- Gregory S. Sutter The best way to accelerate Windows mailto:gsutter@pobox.com is at 9.8 m/s^2. http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990615142910.V37775>