Bugtraqmailing list archives
Re: MD5 To Be Considered Harmful Someday
From: Solar Designer <solar () openwall com>
Date: Thu, 9 Dec 2004 00:17:57 +0300
On Tue, Dec 07, 2004 at 10:36:27PM -0600, Gandalf The White wrote:
What I am worried about is the integrity of MD5 hashed passwords. Thisconcern is for both Cisco and *NIX passwords. Lets say that I have apassword:"ThisIsMySecretPassphrase" MD5 = $1$Vjuf$t5QYnzXL0Sy4tThvqKDGa1
Do not worry, these FreeBSD-style MD5-based crypt(3) hashes are at noadded risk given the recent discovery (which, by the way, was expected).The algorithm is far more complicated than "raw" MD5. It consists of1000 iterations of MD5 with both output from the previous iterationand the original input (plaintext password and salt) being rolled intothe hash on each iteration.
It actuallyis beginning to sound like there might be enough of a hole in MD5 that "we"(collectively) had better start working on SHA-2 hashed passwords ...
No.It's been wrong to directly use raw MD5 (or SHA-1 or whatever fastmessage digest function) for password hashing anyway.The choice of the underlying cryptographic primitive (be it a messagedigest function such as MD5 or a block cipher such as DES or Blowfish)has very little impact on the security of a decent password hashingalgorithm. It's the higher-level algorithm which is of more importance.The best currently widely-deployed password hashing algorithm isbcrypt by David Mazieres and Niels Provos. The most importantproperty of bcrypt is that it is adaptable to future processorperformance improvements, allowing you to arbitrarily increase theprocessing cost of checking a password while still maintainingcompatibility with your older password hashes. Already now bcrypthashes you would use are several orders of magnitude stronger thantraditional Unix DES-based or FreeBSD-style MD5-based hashes.Niels originally implemented bcrypt for OpenBSD (which uses bcrypt bydefault) and that code has since been rolled into FreeBSD and NetBSD(but still not enabled by default?!) My public domain, faster(*), andreentrant re-implementation of it and related links are available at:http://www.openwall.com/crypt/This implementation is currently fully integrated into Owl anddistributions by ALT Linux team, as the default password hashingscheme. It is a part of the glibc package on ASPLinux and SuSE Linux.(*) In this context, faster means slightly more secure since a 2xspeedup translates to twice higher iteration counts to be set by asystem administrator and thus effective strength of passwordsstretched by 1 bit more.-- Alexander Peslyak <solar at openwall.com>GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598http://www.openwall.com - bringing security into open computing environments
Current thread:
- Re: MD5 To Be Considered Harmful Someday,(continued)
- Re: MD5 To Be Considered Harmful SomedayDavid F. Skoll (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayJoel Maslak (Dec 08)
- Re: MD5 To Be Considered Harmful SomedaySteve Friedl (Dec 08)
- RE: MD5 To Be Considered Harmful SomedayDavid Schwartz (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayGandalf The White (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayKeith Oxenrider (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayPaul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayPaul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayAdam Shostack (Dec 09)
- Re: MD5 To Be Considered Harmful SomedaySolar Designer (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayPavel Kankovsky (Dec 09)
- Re: MD5 To Be Considered Harmful SomedaySolar Designer (Dec 13)
- Re: MD5 To Be Considered Harmful SomedayGeorge Georgalis (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful TodayDan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful TodayPavel Machek (Dec 08)
- Re: MD5 To Be Considered Harmful TodayDan Kaminsky (Dec 08)