From owner-freebsd-security Tue Jun 15 0: 5:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 220A515487 for ; Tue, 15 Jun 1999 00:05:20 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id JAA05246; Tue, 15 Jun 1999 09:04:33 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Warner Losh Cc: Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-reply-to: Your message of "Tue, 15 Jun 1999 00:58:11 MDT." <199906150658.AAA90712@harmony.village.org> Date: Tue, 15 Jun 1999 09:04:33 +0200 Message-ID: <5244.929430273@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199906150658.AAA90712@harmony.village.org>, Warner Losh writes: >In message <5182.929429344@critter.freebsd.dk> Poul-Henning Kamp writes: >: Uhm, sorry Warner, but that is not true. A brute force attack on >: MD5 is many orders of magnitude slower than on DES. > >Wouldn't that cause lots of messages to be logged about failed login >attempts? I was talking about the case where no one can get the >encrypted passwords. I do suppose this assumes that all the programs >that do login verification do syslogs failures... Which I must admit I have never verified that they do. I don't think a brute force attack without the scrambled passwords is sufficiently feasible to be attempted, for one thing you reveal your source-IP or tty/terminal identity, but even so, MD5 takes longer to computer than DES. >I agree that MD5 is better when the possibility of disclosure of the >encrypted passwords exists... Which it always does, it's only a matter of at which probability. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message