Date: Fri, 29 Jan 2010 00:53:30 +0000 From: RW <rwmaillists@googlemail.com> To: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore Message-ID: <20100129005330.1694c20f@gumby.homeunix.com> In-Reply-To: <9d972bed1001281453k3ae9753r6aee18ba4c3c120a@mail.gmail.com> References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <9d972bed1001281453k3ae9753r6aee18ba4c3c120a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 28 Jan 2010 17:53:30 -0500 Roger <rnodal@gmail.com> wrote: > > > > The point of slowing down the algorithm is to protect against > > off-line attack where an attacker has gained access to a copy of > > master.passwd. > > When say "off-line attack" do you refer to the attacker running a > brute force attack on his/her machine? Yes > I'm assuming that by using a slow algorithm the attacker is forced to > use the same slow algorithm to check the passwords? Hopefully > > Any hashing has to be done when the password is set, so it's fixed > > thereafter. > The thread is about password hashing, which is not a mechanism to slow-down and back-off login attempts.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100129005330.1694c20f>