httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: md5crypt passwords
Date Wed, 20 Jun 2012 22:27:33 GMT


Am 21.06.2012 00:14, schrieb Stefan Fritsch:
> On Wednesday 20 June 2012, Reindl Harald wrote:
>> there is a reason why even the developer of md5crypt
>> saw the need for a offical statement that md5crypt
>> should never again be considered as secure in any case!
> 
> 
>> http://phk.freebsd.dk/sagas/md5crypt_eol.html
> 
> Follow the link in his statement:
> 
> http://2012.sharcs.org/slides/sprengers.pdf
> 
> They can try around 1 million md5crypt operations per second (md5crypt 
> is basically the same as APR-MD5). For plain md5 (one round) there are 
> programs that do more than 200 million operations per second. That's a 
> rather big difference. And plain sha1 or even sha512 is much closer to 
> plain md5 than to md5crypt.
> 
> I agree that we should use something more secure, really soon. But 
> there is no reason to panic, yet.

here we are agree
no reason for panic now

i only needed to point out that weakhash(weakhash(weakhash()))
does not result in stronghash() no matter how often you wrap



Mime
View raw message