[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5sum passwords

> Karl Ferguson writes ("Re: md5sum passwords"):
> > I know what you're all saying, but I'd definately like the MD5 in place as an 
> > optional extra.  Isn't that possible?  The extra security as an Internet 
> > Provider is a much needed asset...
> As I wrote earlier, MD5 used in this way is not significantly more
> secure than traditional crypt.  The problem with Unix passwords isn't
> the length limit, it's the poor diversity and the ease with which an
> attacker can test a guess.
> The poor diversity can be protected by making guessing harder; that's
> what my proposal is intended to do.
> I dread to think what the consequences will be if we try to go through
> all of our programs making sure that they cope with longer passwords
> and longer encrypted passwords, and in any case there would be little
> point since it doesn't solve either of the problems.

I disagree.  Setting a minimum length of 10 characters is pretty effective.
With pretty much unrestricted password length, people can use a fairly
easy to remember sentence, including punctuation, as a password which
would be almost impossible to guess and completely infeasible to crack
in the way programs like Crack try to work.

People trying to break in aren't on the whole dumb enough to sit there
trying to guess passwords.

While password measures like this are just part of a well implemented
secure environment, they're a useful part.

Of course the best solution would be to go all the way to a trusted
computing base security environment like in DEC's OSF/1.

... Stephen

Reply to: