Re: md5 passwords

["Steven M. Bellovin" <smb%cs.columbia.edu@localhost>]

On Thu, 15 Jan 2009 16:52:09 +0200
Henri Salo <fgeek%hack.fi@localhost> wrote:

> On Thu, Jan 15, 2009 at 10:06:43AM +0000, David Holland wrote:
> > Given that md5 looks to be pretty shaky by now, should we adjust the
> > passwd.conf docs and other such places to deprecate/recommend
> > against using md5 passwords?
> > 
> > If so it would be a good thing to do it before releasing -5...
> > 
> > -- 
> > David A. Holland
> > dholland%netbsd.org@localhost
> 
> I would say that this should be done. Deprecating is good way to
> handle this issue, because MD5 is very weak and no-one should use it
> anymore for this purpose.
> 
The known problems with MD5 are collision attacks.  In this context,
that translates to "I can (perhaps) pick two different passwords that
have the same hash".  That isn't in my threat model for
password-guessing...  (If there were preimage attacks on MD5, it would
be another matter, but there aren't any.)

All that aside, our SHA1 password hashing is very strong
cryptographically -- it uses HMAC, which would likely be safe even if
MD5 were used as the hash function.

So -- the advantage of MD5 is hashed password interoperability with
other systems.  SHA1 is, as far as a I know, NetBSD-specific.  Rather,
we implemented it from scratch 4.5 years ago; I don't know that anyone
else has picked it up.

From a security perspective, I suspect that the real difference is the
real-time consumed by the default iteration counter.  I don't think
that the cryptographic differences are at all significant.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb