On Sat, Apr 07, 2001 at 04:52:18PM +1200, Carey Evans wrote: > Aaron Lehmann <aaronl@vitelus.com> writes: > > > Why hasn't SHA-1 been considered as a password hash algorithm? It's > > typically considered more secure than MD5 in crypto circles[1]. > > OpenBSD and FreeBSD, at least, already support Blowfish hashes for > passwd entries with "$2" as the password type, so this would be the > one to go with for something more secure. no kidding, try running john on the 3 different types, with old style crypt it can get around 64000 hashes per second, md5 is down to 1400, OpenBSD blowfish about 30. (on a 400ish Mhz machine) it even takes several minutes to break a hideously lame password hashed in blowfish compared to the near instant results under md5. you can also raise the number of rounds used under OpenBSD, by default root has a few more rounds then ordinary users which makes brute force attacks even slower still. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpAfPkAmeXdK.pgp
Description: PGP signature