httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <>
Subject Re: md5crypt passwords
Date Wed, 20 Jun 2012 22:27:33 GMT

Am 21.06.2012 00:14, schrieb Stefan Fritsch:
> On Wednesday 20 June 2012, Reindl Harald wrote:
>> there is a reason why even the developer of md5crypt
>> saw the need for a offical statement that md5crypt
>> should never again be considered as secure in any case!
> Follow the link in his statement:
> They can try around 1 million md5crypt operations per second (md5crypt 
> is basically the same as APR-MD5). For plain md5 (one round) there are 
> programs that do more than 200 million operations per second. That's a 
> rather big difference. And plain sha1 or even sha512 is much closer to 
> plain md5 than to md5crypt.
> I agree that we should use something more secure, really soon. But 
> there is no reason to panic, yet.

here we are agree
no reason for panic now

i only needed to point out that weakhash(weakhash(weakhash()))
does not result in stronghash() no matter how often you wrap

View raw message