lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 15 Mar 2014 17:51:39 -0700
From: Jeremi Gosney <>
Subject: Re: [PHC] So what exactly happened to cause the PHC?

On 3/15/2014 4:11 PM, Bill Cox wrote:
> I think I read a year-ish (or two) ago that the author of MD5 was
> giving up maintaining the *nix /etc/password code because he couldn't
> get anyone to let him fix it, and it clearly is so out of date that it
> would make anyone interested in security go nuts.  Is this right?  My
> memory is infamous for it's flaws.

Not quite. Poul-Henning Kamp (who is on this list), the author of
md5crypt (not MD5), stated that md5crypt should no longer be used
because it is too fast on today's hardware, and as it has a fixed
iteration count, there's nothing to be done about it except use
something else.

This did not prompt the PHC, however, since most operating systems had
already replaced md5crypt with something else (bcrypt, sha512crypt, etc.)

What prompted the PHC was simply all of the major password breaches in
the last couple years, combined with this tweet from JP:

Powered by blists - more mailing lists