| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 Mar 2014 07:49:48 +0100
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] So what exactly happened to cause the PHC?
Yeah we identified a need for better password hashes and the SHA3
Competition just finished so I thought that was the right time for a
password hash competition. I threw the idea on Twitter and many more people
quickly joined the project.
On Mar 16, 2014 1:52 AM, "Jeremi Gosney" <epixoip@...dshell.nl> wrote:
> On 3/15/2014 4:11 PM, Bill Cox wrote:
> > I think I read a year-ish (or two) ago that the author of MD5 was
> > giving up maintaining the *nix /etc/password code because he couldn't
> > get anyone to let him fix it, and it clearly is so out of date that it
> > would make anyone interested in security go nuts. Is this right? My
> > memory is infamous for it's flaws.
>
> Not quite. Poul-Henning Kamp (who is on this list), the author of
> md5crypt (not MD5), stated that md5crypt should no longer be used
> because it is too fast on today's hardware, and as it has a fixed
> iteration count, there's nothing to be done about it except use
> something else.
>
> This did not prompt the PHC, however, since most operating systems had
> already replaced md5crypt with something else (bcrypt, sha512crypt, etc.)
>
> What prompted the PHC was simply all of the major password breaches in
> the last couple years, combined with this tweet from JP:
> https://twitter.com/veorq/status/283180495062331393
>
>
Content of type "text/html" skipped
Powered by blists - more mailing lists