lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <42680374.6060104@securescience.net>
Date: Thu, 21 Apr 2005 12:48:04 -0700
From: Lance James <lancej@...urescience.net>
To: "Joshua D. Drake" <jd@...mandprompt.com>
Cc: "Jim C. Nasby" <decibel@...ibel.org>,
	Tom Lane <tgl@....pgh.pa.us>, Stephen Frost <sfrost@...wman.net>,
	pgsql-hackers@...tgresql.org, bugtraq@...urityfocus.com
Subject: Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords


Joshua D. Drake wrote:
>> Simply put, MD5 is no longer strong enough for protecting secrets. It's
>> just too easy to brute-force. SHA1 is ok for now, but it's days are
>> numbered as well. I think it would be good to alter SHA1 (or something
>> stronger) as an alternative to MD5, and I see no reason not to use a
>> random salt instead of username.
> 
> 
> If you aren't paying close enough attention to your database server to
> see that someone is trying to brute force your MD5 password you have 
> bigger problems.

The comments on md5 and sha1 are both inaccurate if you're comparing 
them. Encrypted passwords are as strong as the design of the password. 
In some cases, SHA-1 is a faster brute force because SHA-1 is a faster 
hash. There are two issues here. Using SHA-1 to hash a password, and the 
strength of a password. If the implementation of SHA-1 is not effective, 
there could be weaknesses that enable reducing the time required to 
perform exhaustive/dictionary attacks against sha-1 protected password.

I'm out of context, but I had to make some corrections.


-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.com
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Have Phishers stolen your customers' logins? Find out with DIA
https://slam.securescience.com/signup.cgi - it's free!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ