[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: RFC2256: userPassword
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Tuesday, June 29, 1999 11:29 AM
> To: Paul Leach
> Use of hashes, especially proven one-way salted digital
> hashes, provided a great deal of protect over cleartext.
They are better than cleartext; no argument. What I'm saying is that they
aren't enough better in today's world.
> A cracker confronted with a hashed password is likely to
> use other mechanisms (such as flaws in the server's host
> operating system) to obtain illicit access.
There are readily available tools that can easily crack hashed passwords.
>
> I would recommend that hashed password syntax recommend use
> of a salted MD5, SHA1, or equivalent strong (and proven)
> one-way hash.
>
Not good enough. These are VERY fast hashes, by design, and can be attacked
very effectivley by the means I described in my previous post, and using
hacking tools that are commonly available. Even salt doesn't help enough --
true, it means that the attacker can only attack one password at a time, but
when it only takes a few days (even with only one computer) to run an attack
against easy-to-remember passwords, that's not enough.
Paul