[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: encrypt password by md5 twice?

I'd agree with Gavin. Just go ahead and reset the passwords. Might be a
good time to work on a password self-service solution too. ;)

Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414

Author, "Best Practices for Managing Linux and UNIX Servers"

Identity Management, LDAP, and Linux Integration

Gavin Henry wrote:
> Zhang Weiwu wrote:
>> Dear everyone
>> I am planing to migrate an Intranet info system to authenticate with
>> OpenLDAP, so more of our business can be done with the same login. The
>> old system uses their own SQL table to store user information, no
>> problem, I can write a script to convert to LDIF format. But md5 was
>> used to encrypt user password, and the developer of that system knows
>> md5 is cracked, so he encrypted the md5 hash with md5 method again.
>> clear text password --> md5 hash --> md5 hash of the md5 hash
>> My question:
>>    1. Have you ever heard this solution to avoid md5 crack? Now as I
>>       cannot reach the original system author, I wonder how this idea
>>       come to be (e.g. why not using SHA).
> not heard of it.
>>    2. Does it work? (is md5 hashed md5 hash much safer with no
>> side-effect?)
> Sounds like it would take twice as long.
>>    3. Now, how we can migrate this system to use openldap. AFAIK
>>       openldap have no direct support for such hash. There are a lot of
>>       users of the system and there will be problems if migration is
>>       done and everyone's password is reset..
> You'd have to get everyone to type in their md5 hash ;-)
> You've no choice but to reset all passwords. Seems like the best time to
> do it under the "migration" umbrella.
> Gavin.