Date: Tue, 15 Jun 1999 09:04:33 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Warner Losh <imp@harmony.village.org> Cc: Holtor <holtor@yahoo.com>, freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? Message-ID: <5244.929430273@critter.freebsd.dk> In-Reply-To: Your message of "Tue, 15 Jun 1999 00:58:11 MDT." <199906150658.AAA90712@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199906150658.AAA90712@harmony.village.org>, Warner Losh writes: >In message <5182.929429344@critter.freebsd.dk> Poul-Henning Kamp writes: >: Uhm, sorry Warner, but that is not true. A brute force attack on >: MD5 is many orders of magnitude slower than on DES. > >Wouldn't that cause lots of messages to be logged about failed login >attempts? I was talking about the case where no one can get the >encrypted passwords. I do suppose this assumes that all the programs >that do login verification do syslogs failures... Which I must admit I have never verified that they do. I don't think a brute force attack without the scrambled passwords is sufficiently feasible to be attempted, for one thing you reveal your source-IP or tty/terminal identity, but even so, MD5 takes longer to computer than DES. >I agree that MD5 is better when the possibility of disclosure of the >encrypted passwords exists... Which it always does, it's only a matter of at which probability. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5244.929430273>