Re: Which password cipher ?

To: Joel Carnat <joel%carnat.net@localhost>
Subject: Re: Which password cipher ?
From: Steven Bellovin <smb%cs.columbia.edu@localhost>
Date: Tue, 30 Nov 2010 17:32:38 -0500

On Nov 30, 2010, at 4:58 17PM, Joel Carnat wrote:

> Hi,
> 
> I'm installing a new domU and just realize I always choose the DES cipher for 
> storing local passwords as it is supposed to be the most compatible. I 
> personally don't use NIS (anymore) and password I share are store in LDAP 
> using SSHA1.
> 
> Is it still save to store local password in DES or should something else be 
> used if possible ?
> If so, what's the best option Blowfish, SHA1 ?
> 
> I read SHA1 has issues and SHA2 based cipher should be preferred.
> It also seems that OpenBSD uses Blowfish.

The weaknesses in SHA1 are completely irrelevant here.

The big problem with the traditional DES method is that passwords are limited 
to 8 characters.  The SHA-1 method -- which is really HMAC-SHA1 method -- does 
not have any arbitrary limit; this is the one I recommend.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb

Follow-Ups:
- Re: Which password cipher ?
  - From: Joerg Sonnenberger

References:
- Which password cipher ?
  - From: Joel Carnat

Prev by Date: Re: About that horrible polluting mDNS stuff?
Next by Date: Re: About that horrible polluting mDNS stuff?
Previous by Thread: Which password cipher ?
Next by Thread: Re: Which password cipher ?
Indexes:

Home | Main Index | Thread Index | Old Index