Date: Sun, 04 Jan 2009 09:41:05 +0000 From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de> Cc: freebsd-security@freebsd.org Subject: Re: MD5 vs. SHA1 hashed passwords in /etc/master.passwd: can we configure SHA1 in /etc/login.conf? Message-ID: <38332.1231062065@critter.freebsd.dk> In-Reply-To: Your message of "Sat, 03 Jan 2009 22:45:59 %2B0100." <495FDC97.4090301@mail.zedat.fu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <495FDC97.4090301@mail.zedat.fu-berlin.de>, "O. Hartmann" writes: >MD5 seems to be compromised by potential collision attacks. No it is not. Single MD5 invocations with controlled plaintext allow you to construct appendages to the plaintext, which would result in identical MD5 hash values. This does not affect your passwords. 1. If you already know peoples password, why futz with the encryption of them ? 2. MD5 password hash is not single invocation, in fact MD5 i iterated more than a thousand times in various permutations. Nobody has any idea how to break that, short of brute force. Poul-Henning -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38332.1231062065>