-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Mar 13, 2018 at 07:36:19PM +0100, Sven Hartge wrote: > to...@tuxteam.de wrote:
[...] > > Well, to be fair, the change to SHA-1 is because you can "reverse" MD5 > > all too easily > > Yes, basically. > > > But I don't think your operating system is going to do that behind > > your back ;-) > > It would be quite obvious when just starting "passwd" takes several days > while it cracks your MD5 hash to replace it with a stronger one ;) And possibly eat through a disk or two (or are rainbow tables superfluous with current GPUs? I don't know). All that to choose quite probably a *different* password which happens to hash to the same MD5. Login no more possible, but now secure :) > But on that note: I wonder of one could create a PAM module which will > do just that on successful login. Once you *know* you have the right > password (and the PAM system has that knowledge including the plain text > password the user entered) just rehash it and update /etc/shadow. > > This will gradually upgrade all hashes once a user uses an account. That would be downright sneaky :-) Cheers - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlqoMoMACgkQBcgs9XrR2kb5/ACfQEmIaxjx3bVzcA60VHbqI/UD RbIAnifsG3fys+yUrfGLZ8PojwkZBwG1 =Xy4V -----END PGP SIGNATURE-----