Date: Fri, 26 Jul 1996 07:27:37 -0700 (PDT) From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu> To: phk@critter.tfs.com (Poul-Henning Kamp) Cc: freebsd-security@freebsd.org Subject: Re: Crack 4.1 patches for FBSD Message-ID: <199607261427.HAA02418@kdat.calpoly.edu> In-Reply-To: <2328.838369704@critter.tfs.com> from "Poul-Henning Kamp" at Jul 26, 96 10:28:24 am
next in thread | previous in thread | raw e-mail | index | archive | help
> >> Here is beta 1 of the changes I have done to Crack 4.1 in order to > >> make it work with master.passwd (md5) style passwords. Patch from crack/ > > > >I wouldn't bother. I spoke with Alec Moffet today at the USENIX security > >conference. Crack 5.0 is due out in 6 (or so) weeks. He said it was a > >complete rewrite, and he has substantually changed the handing of > >different password file formats. > > Any news on any attacks on our MD5 based passwords ? The only problem I see with them is that MD5 is so darn quick, your number of crypts goes way up even with the present number of iterations. The DES hash used in most Unicen was desigend to be slow (originally taking 1 second per crypt on a VAX 11/780), but that fell prey to optimization and exponential CPU speed increases. Perhaps some intermediate permutations between hashes might be appropriate, but I'd consider the algorithm very carefully as it is very easy to end up with something that is no slower than the original and significantly less secure. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607261427.HAA02418>