Grzegorz Błach wrote:
Brute-force algoritm with collision can take password 100 time faster than brute-force without brute-force.
How do you prove this claim? AFAIK collision attacks need to know the plain text. Trying to brute-force a password means not having it in plain text. Hence collisions do not play any role.
Atacker not must stole password file, attack can be made from local network too. We can don't change password_format and still use md5, but we can change it to blowfish, maybe this is not a big issue, but for fix it, we must change only one record in /etc/login.conf. This is very trivial.
Yes, I also don't see any reason why we *have* to stick to md5. However, I also don't see any reason why we should switch to blowfish. cheers simon PS: could you please trim excessive quotes when replying? thanks. -- Serve - BSD +++ RENT this banner advert +++ ASCII Ribbon /"\ Work - Mac +++ space for low €€€ NOW!1 +++ Campaign \ / Party Enjoy Relax | http://dragonflybsd.org Against HTML \ Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \
signature.asc
Description: OpenPGP digital signature