lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 16 Mar 2014 07:49:48 +0100
From: Jean-Philippe Aumasson <>
Subject: Re: [PHC] So what exactly happened to cause the PHC?

Yeah we identified a need for better password hashes and the SHA3
Competition just finished so I thought that was the right time for a
password hash competition. I threw the idea on Twitter and many more people
quickly joined the project.
On Mar 16, 2014 1:52 AM, "Jeremi Gosney" <> wrote:

> On 3/15/2014 4:11 PM, Bill Cox wrote:
> > I think I read a year-ish (or two) ago that the author of MD5 was
> > giving up maintaining the *nix /etc/password code because he couldn't
> > get anyone to let him fix it, and it clearly is so out of date that it
> > would make anyone interested in security go nuts.  Is this right?  My
> > memory is infamous for it's flaws.
> Not quite. Poul-Henning Kamp (who is on this list), the author of
> md5crypt (not MD5), stated that md5crypt should no longer be used
> because it is too fast on today's hardware, and as it has a fixed
> iteration count, there's nothing to be done about it except use
> something else.
> This did not prompt the PHC, however, since most operating systems had
> already replaced md5crypt with something else (bcrypt, sha512crypt, etc.)
> What prompted the PHC was simply all of the major password breaches in
> the last couple years, combined with this tweet from JP:

Content of type "text/html" skipped

Powered by blists - more mailing lists