From owner-freebsd-questions Sun Jul 16 12:53: 5 2000 Delivered-To: freebsd-questions@freebsd.org Received: from kestrel.prod.itd.earthlink.net (kestrel.prod.itd.earthlink.net [207.217.121.155]) by hub.freebsd.org (Postfix) with ESMTP id 8878437B78F for ; Sun, 16 Jul 2000 12:52:54 -0700 (PDT) (envelope-from cjc@pool0608.cvx21-bradley.dialup.earthlink.net) Received: from pool0608.cvx21-bradley.dialup.earthlink.net (pool0608.cvx21-bradley.dialup.earthlink.net [209.179.194.98]) by kestrel.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id MAA00496; Sun, 16 Jul 2000 12:52:50 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id MAA00434; Sun, 16 Jul 2000 12:50:51 -0700 (PDT) Date: Sun, 16 Jul 2000 12:49:04 -0700 From: "Crist J. Clark" To: "O. Hartmann" Cc: questions@FreeBSD.ORG Subject: Re: DES or Standard CRYPT? Message-ID: <20000716124904.A257@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from ohartman@ipamzlx.physik.uni-mainz.de on Sun, Jul 16, 2000 at 02:25:24PM +0200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Jul 16, 2000 at 02:25:24PM +0200, O. Hartmann wrote: > FreeBSD 4.0 comes with two different ways of encrypting passwords, either > MD5 oder DES. I figured out that using DES limits the password lenth up to > 8 characters, while MD5 allows a maximum of 128 characters. The question > I ask is: what kind of encryption service/lib should we use to have > a secure system? Is MD5 hash sufficient or should we use DES? When linking > libcrypt -> libdes, what is involved by this links? Only UNIX password > encryption or other facilities? For either DES or MD5 passwords, the standard method to crack passwords will be a dictionary attack. For just about everyone but NSA, a cryptographic attacks are not feasible. For this reason, if your users choose "good" passwords, MD5 will be more secure since the difficulty of a dictionary attack increases exponentially with the length of the password. Of course, if your users pick weak passwords, either can be cracked. > Is X11 hard-coded limited to use login (which refelcts the used lib by > limiting the length of the password, also) or is it possible to configure > X11 login to use something else? Are you talking about xdm(1) here? xdm does not use login(1). It uses a 'xlogin' widget built into itself. However, xdm uses libcrypt, so it will be using the same algorithm. That would seem to make a lot of sense since xdm is using the same password file. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message