On Mon, Apr 05, 2010 at 01:50:39PM -0500, Mike Gerdts wrote: > Assuming a password is 8 characters or fewer, is the password safer if it is > hashed using the traditional unix crypt or an MD5 based crypt? Several > years ago, I would have argued for md5 because it would allow for longer > passwords. The well-known collision attacks against MD5 make me question > whether it is harder to brute force a traditional crypt or generate an MD5 > collision. Is there any data available that can be used to guide a decision > in this area? > > I realize there are better alternatives out there, but when dealing with a > mixed environment options are often limited. RHEL and its derivatives seem > to be stuck on crypt or md5 (I'd love to be proven wrong). Solaris 9 can do > crypt, md5, or blowfish.
MD5 crypt is much better than the old Unix crypt. Collision attacks on hash functions are not interesting in this case (what are you trying to collide with?). Pre-image attacks are interesting; there are still no known pre-image attacks on MD5. The crypt approach to password validation is always subject to off-line dictionary attacks by anyone that can see crypted passwords. The whole point of using MD5 or some other hash function for crypt is to make each crypt call slower while allowing no better attacks than to crypt a guess and compare the result to a crypt value that you have. By making crypt slow you slow down off-line dictionary attacks. By protecting crypted passwords from being read by attackers you prevent the attack in the first place. Nico -- _______________________________________________ security-discuss mailing list [email protected]
