[lug] MD5 strength?
D. Stimits
stimits at attbi.com
Sat Aug 31 13:41:06 MDT 2002
rm at fabula.de wrote:
> On Fri, Aug 30, 2002 at 06:48:40PM -0600, D. Stimits wrote:
>
>>I am curious, for the MD5 password hash, is this currently considered
>>strong, or is it easily broken by normal hardware? I have people telling
>>me that password hash is useless and broken quite easily, and if this is
>>about old style passwords, I agree...but with MD5, I do not believe that
>>any real weakness, other than perhaps theoretical, has been found. If
>>someone uses a buffer overflow attack to email the shadow file, and if
>>the shadow file is MD5, what kind of difficulty would the attacker have
>>at cracking non-common passwords (passwords not from a common words,
>>where it must actually be broken instead of guessed)?
>
>
> Humpf? As the name 'hash' allready implies: there is no way to "break"
> an MD5 password--the original password can't be recovered from the
> crypted version (the crypted version is a _M_essage _D_igest). Now, for
This is true only if it is not practical to generate all/most possible
combinations/permutations of characters. I believe generating a
dictionary of hashes from known words is trivial in any one-way hash,
but due to seed/salt and other size difficulties, this is not
necessarily true on *some* algorithms, where computing power and storage
space is limited. The context of the question is not general encryption,
it is about finding the password...having a dictionary of all
combinations/permutations of permitted characters counts. However, there
is a further stipulation in the original question...that the password
being used is not a stupid common word, that the chosen password is
random. In the case of single DES, it would be trivial to create a
dictionary of all possible hashes of all 8 character or less password
phrases, even if completely made up of random characters.
So far it looks like most answers tend to say that MD5 is a fair hash if
the password chosen is good. I suppose this is why a number of package
management utilities still use MD5 for checks against tampering, rather
than moving to something "better" (like SHA-1).
> login etc. you don't _need_ the original version, you only need a word
> that will hash to the same value, and that's where the concerns you mention
> start: given enough hardware it's possible to find words that hash to
> the same value. So, for really strong security you might want to pick
> another digest method (SHA seems to be safe).
I don't disagree at all, but I am interested in MD5 because there seems
to be some mistaken assumption still out there in the world that if
someone manages to read a shadow password file that all of your
passwords are useless even though encrypted. I think that this is due to
the original crypt function using only DES. The glibc version offers MD5
in addition to single DES, which is why I am interested in it. Using MD5
only requires glibc be present, whereas SHA-1 and most newer "strong"
algos require OpenSSL [with a different license, which has caused some
people to argue...nobody argues about whether they can link dynamically
to glibc and call the crypt function for passwords].
D. Stimits, stimits AT attbi.com
>
> Ralf Mattes
>
>
>>D. Stimits, stimits AT attbi.com
>>
>>_______________________________________________
>>Web Page: http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
More information about the LUG
mailing list