Re: md5sum passwords

To: debian-devel@Pixar.com
Subject: Re: md5sum passwords
From: Ian Jackson <ian@chiark.chu.cam.ac.uk>
Date: Sat, 18 Nov 95 17:52 GMT
Message-id: <[🔎] m0tGrRi-0002YGC@chiark.chu.cam.ac.uk>
In-reply-to: <[🔎] 199511161326.IAA18905@mines.cnd.mcgill.ca>
References: <[🔎] 199511161326.IAA18905@mines.cnd.mcgill.ca> <[🔎] m0tG4qw-000LhQC@orion.tower.com.au> <199511160137.BAA08143@shellx.best.com>

Karl Ferguson writes ("Re: md5sum passwords"):
> I know what you're all saying, but I'd definately like the MD5 in place as an 
> optional extra.  Isn't that possible?  The extra security as an Internet 
> Provider is a much needed asset...

As I wrote earlier, MD5 used in this way is not significantly more
secure than traditional crypt.  The problem with Unix passwords isn't
the length limit, it's the poor diversity and the ease with which an
attacker can test a guess.

The poor diversity can be protected by making guessing harder; that's
what my proposal is intended to do.

I dread to think what the consequences will be if we try to go through
all of our programs making sure that they cope with longer passwords
and longer encrypted passwords, and in any case there would be little
point since it doesn't solve either of the problems.

I agree with Andrew Fernandes's comments.

Ian.

Reply to:

Follow-Ups:
- Re: md5sum passwords
  - From: stephen@beldin.it.com.au (Stephen Darragh)

References:
- Re: md5sum passwords
  - From: "Andrew D. Fernandes" <adfernan@cnd.mcgill.ca>
- Re: md5sum passwords
  - From: karl@tower.com.au (Karl Ferguson)

Prev by Date: Re: aout-* packages
Next by Date: Re: Warning people off 1.0 (was Re: Unidentified subject!)
Previous by thread: Re: md5sum passwords
Next by thread: Re: md5sum passwords
Index(es):
- Date
- Thread