Re: encrypt password by md5 twice?

[Dustin Puryear <dustin@puryear-it.com>]

I'd agree with Gavin. Just go ahead and reset the passwords. Might be a
good time to work on a password self-service solution too. ;)

--
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com

Author, "Best Practices for Managing Linux and UNIX Servers"
  http://www.puryear-it.com/pubs/linux-unix-best-practices

Identity Management, LDAP, and Linux Integration


Gavin Henry wrote:
> Zhang Weiwu wrote:
>> Dear everyone
>>
>> I am planing to migrate an Intranet info system to authenticate with
>> OpenLDAP, so more of our business can be done with the same login. The
>> old system uses their own SQL table to store user information, no
>> problem, I can write a script to convert to LDIF format. But md5 was
>> used to encrypt user password, and the developer of that system knows
>> md5 is cracked, so he encrypted the md5 hash with md5 method again.
>>
>> clear text password --> md5 hash --> md5 hash of the md5 hash
>>
>> My question:
>>
>>    1. Have you ever heard this solution to avoid md5 crack? Now as I
>>       cannot reach the original system author, I wonder how this idea
>>       come to be (e.g. why not using SHA).
> 
> not heard of it.
> 
>>    2. Does it work? (is md5 hashed md5 hash much safer with no
>> side-effect?)
> 
> Sounds like it would take twice as long.
> 
>>    3. Now, how we can migrate this system to use openldap. AFAIK
>>       openldap have no direct support for such hash. There are a lot of
>>       users of the system and there will be problems if migration is
>>       done and everyone's password is reset..
> 
> You'd have to get everyone to type in their md5 hash ;-)
> 
> You've no choice but to reset all passwords. Seems like the best time to
> do it under the "migration" umbrella.
> 
> Gavin.
>