Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4D6DD95B7 for ; Wed, 20 Jun 2012 21:59:53 +0000 (UTC) Received: (qmail 83718 invoked by uid 500); 20 Jun 2012 21:59:46 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 83375 invoked by uid 500); 20 Jun 2012 21:59:42 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 83297 invoked by uid 99); 20 Jun 2012 21:59:39 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Jun 2012 21:59:39 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of h.reindl@thelounge.net designates 91.118.73.15 as permitted sender) Received: from [91.118.73.15] (HELO mail.thelounge.net) (91.118.73.15) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Jun 2012 21:59:35 +0000 Received: from srv-rhsoft.rhsoft.net (openvpn-rh.thelounge.net [10.0.0.241]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3WHg1F3gdnz3R for ; Wed, 20 Jun 2012 23:59:13 +0200 (CEST) Message-ID: <4FE247B0.7030403@thelounge.net> Date: Wed, 20 Jun 2012 23:59:12 +0200 From: Reindl Harald Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: md5crypt passwords References: <4FE23E60.6010701@thelounge.net> <4FE240BE.2090402@thelounge.net> <201206202352.23957.sf@sfritsch.de> In-Reply-To: <201206202352.23957.sf@sfritsch.de> X-Enigmail-Version: 1.4.2 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig71F54CF51EDA16050483AE15" X-Virus-Checked: Checked by ClamAV on apache.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig71F54CF51EDA16050483AE15 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Am 20.06.2012 23:52, schrieb Stefan Fritsch: >> you do not need the original password! >> you only need a hash-collision and can leave out >> special chars completly to find one >=20 > You need a password that gives the same value after 1000 rounds of=20 > md5(password md5(password md5(password ...))). This is much more=20 > expensive to find with brute force than a password that gives a=20 > collision for a single md5 everybody with crypto knowledge will explain you that you are totally wrong - i can only try in my words! in the context of a hash-collision and rainbow-tables you need any string producing the same hash, no matter if 1, 10 or 1000 times md5() recursion there is a reason why even the developer of md5crypt saw the need for a offical statement that md5crypt should never again be considered as secure in any case! -------- Original-Nachricht -------- Betreff: CVE-2012-3287: md5crypt is no longer considered safe Datum: Fri, 8 Jun 2012 00:04:49 GMT Von: phk@FreeBSD.org An: bugtraq@securityfocus.com The LinkedIn password incompetence has resulted in a number of "just use = md5crypt and you'll be fine" pieces of advice on the net. Since I no longer consider this to be the case, I have issued an official= statement, as the author of md5crypt, to the opposite effect: http://phk.freebsd.dk/sagas/md5crypt_eol.html Please find something better now. Thanks for using my code. Poul-Henning Kamp --------------enig71F54CF51EDA16050483AE15 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/iR7EACgkQhmBjz394AnlExQCfZj1IeZrHxLUSXsIImEN/AYMA 72AAmwSgFDEsGbM69M7rkgkwkw/bAvoA =MJIM -----END PGP SIGNATURE----- --------------enig71F54CF51EDA16050483AE15--