[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: password hash in shadow file

Hash: SHA1

On Tue, Mar 13, 2018 at 07:36:19PM +0100, Sven Hartge wrote:
> tomas@tuxteam.de wrote:


> > Well, to be fair, the change to SHA-1 is because you can "reverse" MD5
> > all too easily 
> Yes, basically.
> > But I don't think your operating system is going to do that behind
> > your back ;-)
> It would be quite obvious when just starting "passwd" takes several days
> while it cracks your MD5 hash to replace it with a stronger one ;)

And possibly eat through a disk or two (or are rainbow tables
superfluous with current GPUs? I don't know).

All that to choose quite probably a *different* password which happens
to hash to the same MD5. Login no more possible, but now secure :)

> But on that note: I wonder of one could create a PAM module which will
> do just that on successful login. Once you *know* you have the right
> password (and the PAM system has that knowledge including the plain text
> password the user entered) just rehash it and update /etc/shadow.
> This will gradually upgrade all hashes once a user uses an account.

That would be downright sneaky :-)

- -- t
Version: GnuPG v1.4.12 (GNU/Linux)


Reply to: