From owner-freebsd-security Tue Jun 15 3:37:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from web128.yahoomail.com (web128.yahoomail.com [205.180.60.197]) by hub.freebsd.org (Postfix) with SMTP id 798C514D1D for ; Tue, 15 Jun 1999 03:37:45 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <19990615104334.23910.rocketmail@web128.yahoomail.com> Received: from [209.191.62.61] by web128.yahoomail.com; Tue, 15 Jun 1999 03:43:34 PDT Date: Tue, 15 Jun 1999 03:43:34 -0700 (PDT) From: Holtor Subject: Re: DES & MD5? To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So there really is no easy way to convert. I just wanted to move everything to MD5. Then just go in, and change each users password and e-mail them all. I'm really not an expert with hacking source code, i know i'd probably screw it up horribly. My original intent was that if someone broke in, I figure MD5 passwords would be harder to break. Holt --- Poul-Henning Kamp wrote: > In message > <199906150658.AAA90712@harmony.village.org>, Warner > Losh writes: > >In message <5182.929429344@critter.freebsd.dk> > Poul-Henning Kamp writes: > >: Uhm, sorry Warner, but that is not true. A brute > force attack on > >: MD5 is many orders of magnitude slower than on > DES. > > > >Wouldn't that cause lots of messages to be logged > about failed login > >attempts? I was talking about the case where no > one can get the > >encrypted passwords. I do suppose this assumes > that all the programs > >that do login verification do syslogs failures... > > Which I must admit I have never verified that they > do. I don't > think a brute force attack without the scrambled > passwords is > sufficiently feasible to be attempted, for one thing > you reveal > your source-IP or tty/terminal identity, but even > so, MD5 takes > longer to computer than DES. > > >I agree that MD5 is better when the possibility of > disclosure of the > >encrypted passwords exists... > > Which it always does, it's only a matter of at which > probability. > > -- > Poul-Henning Kamp FreeBSD coreteam > member > phk@FreeBSD.ORG "Real hackers run > -current on their laptop." > FreeBSD -- It will take a long time before progress > goes too far! > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message