[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using Debian SID on a Mac SE/30

On Thu, 15 Apr 2021, Stan Johnson wrote:

> > Most of that is probably password hashing. Look in /etc/shadow and 
> > you'll probably find long password hashes. If you're not worried about 
> > weak hashes, you could switch to DES which is probably what A/UX uses. 
> > See 'man login.defs' and 'man 3 crypt'.
> > 
> > BTW, if your password hashes are never leaked or your actual passwords 
> > are guessable anyway then I don't see much benefit from SHA512.
> > 
> > FTR, I'm not advocating guessable passwords and weak hashes. But if 
> > you want to try it, I hear that 12345 is very popular:
> > 
> > $ perl -e 'print crypt("12345","xx")."\n"'
> > xxwddmriJc5TI
> > 
> I've always supported security protocols that match the associated risk. 
> For systems that are not exposed to the public Internet and that require 
> clear-text protocols, anyway, such as telnet and ftp, for reasonable 
> access, there is nothing wrong with minimal password hashes (though I 
> agree "12345" is still a bad idea!).

Yes. And it's not only the hashing of guessable passwords that wastes CPU 
cycles. If we're trying to mitigate the possible leakage of /etc/shadow 
through a privilege escalation attack, and if the strong, unguessable 
passwords in that file were never used elsewhere, SHA512 is still a waste 
of cycles, because privilege escalation would gain access to everything 
protected by those passwords anyway.

Reply to: