Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: David Laight <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 05/25/2002 18:18:07
In message <20020525221116.C1044@snowdrop.l8s.co.uk>, David Laight writes:
>> So, as I said before: Blowfish isn't a bad way to hash passwords; it's
>> simply not designed for that purpose.
>>From "Applied Cryptography" by Bruce Schneier, 2nd Ed page 336:
>"Blowfish is an algorithm of my own design, ... Blowfish is
>not suitable for applications such as ..., or as a one way
Blowfish per se isn't designed as a one-way hash, but the OpenBSD code
uses it in a particular way for that purpose -- see the Usenix paper.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)