Re: passwd hashing algorithm

Timothy Newsham (newsham@aloha.net)
Mon, 17 Apr 1995 08:39:48 -1000 (HST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: der Mouse: "Re: NIS"
Previous message: Ollivier Robert: "Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)"
In reply to: Jon Peatfield: "Re: passwd hashing algorithm"
Next in thread: smb@research.att.com: "Re: passwd hashing algorithm"

> Too fast, it still allows dictionary attacks rather easily (yes I know that 
> users should choose good passwords, but some won't).
> 
> md5^500 (500 rounds of md5), or however many takes about 0.5 seconds on a fast 

The hashing should be computationally adjusted and should be adjusted
on each box to be barely tolerable.  There should also be a salt
value of course.  An attacker shouldnt be allowed to precompute
md5^(big num) and later do the (actual num - big num) md5's for
your particular system.

>   -- Jon

Next message: der Mouse: "Re: NIS"
Previous message: Ollivier Robert: "Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)"
In reply to: Jon Peatfield: "Re: passwd hashing algorithm"
Next in thread: smb@research.att.com: "Re: passwd hashing algorithm"