Re: md5 default (was Re: Security trough paranoia)
Aaron Lehmann <email@example.com> writes:
> Why hasn't SHA-1 been considered as a password hash algorithm? It's
> typically considered more secure than MD5 in crypto circles.
OpenBSD and FreeBSD, at least, already support Blowfish hashes for
passwd entries with "$2" as the password type, so this would be the
one to go with for something more secure.
> I'm not familiar with the typical implementations of MD5 passwords,
> but do they use some kind of salt?
Yes. If you have a look at /etc/shadow, it's the bit between the
"$1$" and the following $ symbol.
Carey Evans http://home.clear.net.nz/pages/c.evans/
"Quiet, you'll miss the humorous conclusion."