Subject: Re: crypt(3)
To: None <>
From: Luke Mewburn <>
List: current-users
Date: 11/16/1994 15:47:13
> Obviously people have to have the option of using old style
> formats. However, I'll point out that crypt(3) is creaking badly. The
> cost of simply brute forcing an arbitrary password regardless of how
> obscure it happens to be is getting dangerously close to
> practicality. MD5, or even better, SHA, is a far safer bet for the
> long term.

Advantages of staying with DES:
- compatible passwords with other systems
- des_encrypt(), etc, functionality remains in libcrypt
- whilst not exportable, versions exist for non-US people
  (e.g, gnuc-crypt, and for Australians, FreeSec is a
  drop-in replacement for NetBSD libcrypt)

Advantages of using MD5:
- more secure than DES
- exportable?

Anyway, the main reason people are saying `MD5' is because it's
harder to crack. In practical terms, if people can access the
crypted passwords in /etc/master.password, you've got more problems
to worry about than than brute force attacks on your crypted
passwords ;|

Luke Mewburn, <>

``"..(and) We've heard how teen prostitution, pregnancy, drug use, cults,
  runaways, suicide and poor hygiene are sweeping this nation. We thought you
  might like to share with the committee any particular *causes* you might see
  for those latter problems...".   "I dunno, Maybe the proliferation of
  narrow, suffocating zealotry masquerading as parenting in this country."''
    -- Steve Dallas, 'Bloom County'