httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: md5crypt passwords
Date Wed, 20 Jun 2012 21:52:23 GMT
On Wednesday 20 June 2012, Reindl Harald wrote:
> Am 20.06.2012 23:19, schrieb Reindl Harald:
> > Am 20.06.2012 22:52, schrieb Stefan Fritsch:
> >> On Wed, 20 Jun 2012, Nick Edwards wrote:
> >>> I posted this to users list last week but no-one bit, so I'm
> >>> trying here.
> >>> 
> >>> With md5crypt no longer recommended for use by its author, will
> >>> Apache soon support sha256/sha512 in basic authentication via
> >>> MySQL.
> >> 
> >> Note that it does not really matter that much which hash
> >> algorithm is used. The number of rounds is more important.
> >> APR-MD5 ("$apr1$") does 1000 times recursive md5 (which is 1000
> >> times more secure in terms of brute forcing than plain md5).
> > 
> > jesus christ do not tell this any crypto specialist!
> > this is completly wrong and the opposite true
> > 
> > you do NOT NEED the right password
> > you ONLY need a hash-collision
> > 
> > in the worst case md5(password(md5(password)) is much more
> > unsecure as md5(password) alone! why?
> > 
> > because if my password is longer than a hash and you are
> > hasing the hash again the original password will no
> > longer matter - the collsion is based on the shorter one

I should have written "it does not really matter that much *which of 
the mentioned hash algorithms* is used". If you use a very short hash, 
of course you have a problem. But md5 is not short in this sense. It's 
128 bit which corresponds to around 19 characters if you assume around 
6.5 bits of entropy per char. This is not a relevant limitation. And 
that problem is independent of the number of rounds, actually.

> one more reason:
> md5('jKül#*+-OA') is MUCH more secure
> than md5(md5('jKül#*+-OA'))
> recursion of hashing results in lose any benefit
> of special chars and case-sensitivity because the
> second ash is based only on a-z and 0-9

No, if your hash length is longer than the entropy in the password, 
you don't loose anything. If you'd choose a hex or ascii 
representation of md5, you would get a longer string (32 chars in the 
case of hex). The longer length exactly cancels the reduced entropy 
per character. NB, apr uses binary representation of md5 internally 
(i.e. 16 bytes and every byte can actually take all 256 values).

> you do not need the original password!
> you only need a hash-collision and can leave out
> special chars completly to find one

You need a password that gives the same value after 1000 rounds of 
md5(password md5(password md5(password ...))). This is much more 
expensive to find with brute force than a password that gives a 
collision for a single md5.

View raw message