Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Jun 1999 16:31:22 +0930 (CST)
From:      Kris Kennaway <kkennawa@physics.adelaide.edu.au>
To:        Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc:        Warner Losh <imp@harmony.village.org>, Holtor <holtor@yahoo.com>, freebsd-security@freebsd.org
Subject:   Re: DES & MD5? 
Message-ID:  <Pine.OSF.4.10.9906151628010.1783-100000@bragg>
In-Reply-To: <5182.929429344@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 15 Jun 1999, Poul-Henning Kamp wrote:

> >Are you using yp? If not, then there likely isn't much difference
> >between the two.  MD5 was used as a replacement for DES when the des
> >routines were export controlled.  Since no one but root can grab the
> >encrypted passwords, you'll gain nothing by moving from one to the
> >other.
> 
> Uhm, sorry Warner, but that is not true.  A brute force attack on
> MD5 is many orders of magnitude slower than on DES.

Warner's point, I believe, was that without using YP there's no easy way to
get at the encrypted passwords and thereby brute-force them. With YP (or
equivalently, some other bug/exploit which exposes the password file) then the
properties of your hash function does matter.

In reality of course, it's better to be safe and use strong password methods
even when they 'should' not be needed by virtue of the password file being
hidden.

Kris

> 
> --
> Poul-Henning Kamp             FreeBSD coreteam member
> phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
> FreeBSD -- It will take a long time before progress goes too far!
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 

-----
"Never criticize anybody until you have walked a mile in their shoes,
because by that time you will be a mile away and have their shoes."
    -- Unknown



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9906151628010.1783-100000>