[Date Prev][Date Next]
Re: encrypt password by md5 twice?
I'd agree with Gavin. Just go ahead and reset the passwords. Might be a
good time to work on a password self-service solution too. ;)
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
Author, "Best Practices for Managing Linux and UNIX Servers"
Identity Management, LDAP, and Linux Integration
Gavin Henry wrote:
> Zhang Weiwu wrote:
>> Dear everyone
>> I am planing to migrate an Intranet info system to authenticate with
>> OpenLDAP, so more of our business can be done with the same login. The
>> old system uses their own SQL table to store user information, no
>> problem, I can write a script to convert to LDIF format. But md5 was
>> used to encrypt user password, and the developer of that system knows
>> md5 is cracked, so he encrypted the md5 hash with md5 method again.
>> clear text password --> md5 hash --> md5 hash of the md5 hash
>> My question:
>> 1. Have you ever heard this solution to avoid md5 crack? Now as I
>> cannot reach the original system author, I wonder how this idea
>> come to be (e.g. why not using SHA).
> not heard of it.
>> 2. Does it work? (is md5 hashed md5 hash much safer with no
> Sounds like it would take twice as long.
>> 3. Now, how we can migrate this system to use openldap. AFAIK
>> openldap have no direct support for such hash. There are a lot of
>> users of the system and there will be problems if migration is
>> done and everyone's password is reset..
> You'd have to get everyone to type in their md5 hash ;-)
> You've no choice but to reset all passwords. Seems like the best time to
> do it under the "migration" umbrella.