[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5 default (was Re: Security trough paranoia)

Aaron Lehmann <aaronl@vitelus.com> writes:

> Why hasn't SHA-1 been considered as a password hash algorithm? It's
> typically considered more secure than MD5 in crypto circles[1].

OpenBSD and FreeBSD, at least, already support Blowfish hashes for
passwd entries with "$2" as the password type, so this would be the
one to go with for something more secure.

> I'm not familiar with the typical implementations of MD5 passwords,
> but do they use some kind of salt[2]?

Yes.  If you have a look at /etc/shadow, it's the bit between the
"$1$" and the following $ symbol.

	 Carey Evans  http://home.clear.net.nz/pages/c.evans/

	    "Quiet, you'll miss the humorous conclusion."

Reply to: