From owner-freebsd-security Mon Jun 14 23:58:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id D88281546D for ; Mon, 14 Jun 1999 23:58:29 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA46439; Tue, 15 Jun 1999 00:58:27 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA90712; Tue, 15 Jun 1999 00:58:11 -0600 (MDT) Message-Id: <199906150658.AAA90712@harmony.village.org> To: Poul-Henning Kamp Subject: Re: DES & MD5? Cc: Holtor , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 15 Jun 1999 08:49:04 +0200." <5182.929429344@critter.freebsd.dk> References: <5182.929429344@critter.freebsd.dk> Date: Tue, 15 Jun 1999 00:58:11 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <5182.929429344@critter.freebsd.dk> Poul-Henning Kamp writes: : Uhm, sorry Warner, but that is not true. A brute force attack on : MD5 is many orders of magnitude slower than on DES. Wouldn't that cause lots of messages to be logged about failed login attempts? I was talking about the case where no one can get the encrypted passwords. I do suppose this assumes that all the programs that do login verification do syslogs failures... I agree that MD5 is better when the possibility of disclosure of the encrypted passwords exists... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message