From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:53:51 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB0DF1065696 for ; Thu, 28 Jan 2010 22:53:51 +0000 (UTC) (envelope-from rnodal@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.24]) by mx1.freebsd.org (Postfix) with ESMTP id 60B498FC13 for ; Thu, 28 Jan 2010 22:53:51 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 22so313422eye.9 for ; Thu, 28 Jan 2010 14:53:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=ZBXahKQlOSgyqWvSMe/W46BegFLc2o9axysJ1IVdacc=; b=w/rMdV2M9GRdxsFGZGD/NRYtMgQ19cCiZIqyzY3DsCwlBmtANrIRc72XIqYClq+hX+ xNvi2m9FKiZNTprQNW/8x7f9CU2pCQ+opyLOpLN/YWLh2/x8MHOLOotqAhYFQTVNSnoV En+vRpd+xC/1JX3iW/Zym10+lDWnjOEp7OKos= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=KQCfIAghFDLkN4z3zd0dUa4Qa6fX+t6btRctHJqAOJHXFj17k6zxJy/OkqAMET2hcH hfMdQHkS5wXSYM184wZGKugOakD0E2bge16KvF/As8DrXMhmJvkHNm4FZPwPiqxzbSfZ R1ROzfZNp/7k7tUny9dqx1UWUQFQLrBF/qPuk= MIME-Version: 1.0 Received: by 10.213.104.69 with SMTP id n5mr1276446ebo.90.1264719230347; Thu, 28 Jan 2010 14:53:50 -0800 (PST) In-Reply-To: <20100128224022.396588dc@gumby.homeunix.com> References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> From: Roger Date: Thu, 28 Jan 2010 17:53:30 -0500 Message-ID: <9d972bed1001281453k3ae9753r6aee18ba4c3c120a@mail.gmail.com> To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:53:51 -0000 > > The point of slowing down the algorithm is to protect against off-line > attack where an attacker has gained access to a copy of master.passwd. When say "off-line attack" do you refer to the attacker running a brute force attack on his/her machine? I'm assuming that by using a slow algorithm the attacker is forced to use the same slow algorithm to check the passwords? > Any hashing has to be done when the password is set, so it's fixed > thereafter. What do you mean by that? Thank you very much for taking the time to answer. -r