Assuming a password is 8 characters or fewer, is the password safer if it is hashed using the traditional unix crypt or an MD5 based crypt? Several years ago, I would have argued for md5 because it would allow for longer passwords. The well-known collision attacks against MD5 make me question whether it is harder to brute force a traditional crypt or generate an MD5 collision. Is there any data available that can be used to guide a decision in this area?
I realize there are better alternatives out there, but when dealing with a mixed environment options are often limited. RHEL and its derivatives seem to be stuck on crypt or md5 (I'd love to be proven wrong). Solaris 9 can do crypt, md5, or blowfish. -- Mike Gerdts http://mgerdts.blogspot.com/
_______________________________________________ security-discuss mailing list [email protected]
