Home page logo

bugtraq logo Bugtraq mailing list archives

Re: passwd hashing algorithm
From: newsham () aloha net (Timothy Newsham)
Date: Mon, 17 Apr 1995 08:39:48 -1000 (HST)

Too fast, it still allows dictionary attacks rather easily (yes I know that 
users should choose good passwords, but some won't).

md5^500 (500 rounds of md5), or however many takes about 0.5 seconds on a fast 

The hashing should be computationally adjusted and should be adjusted
on each box to be barely tolerable.  There should also be a salt
value of course.  An attacker shouldnt be allowed to precompute
md5^(big num) and later do the (actual num - big num) md5's for
your particular system.

  -- Jon

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]