Re: Which password cipher ?

To: Steven Bellovin <smb%cs.columbia.edu@localhost>
Subject: Re: Which password cipher ?
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Wed, 1 Dec 2010 10:50:57 -0500

On Wed, Dec 01, 2010 at 10:47:43AM -0500, Steven Bellovin wrote:
> 
> On Dec 1, 2010, at 10:41 58AM, Thor Lancelot Simon wrote:
> 
> > On Wed, Dec 01, 2010 at 01:33:38PM +0000, Andrew Doran wrote:
> >> 
> >> Outside the NetBSD bubble most newly installed systems use MD5.
> > 
> > If that is actually the case, then it is not possible to certify such
> > systems under most of the interesting/commercially valuable security
> > standards.
> > 
> THat isn't clear to me -- the weakness under collision of MD5 is completely
> irrelevant here.

I'm aware of that, but anything that allows only Approved hash functions
will still exclude it.  I didn't say it _should_ be that way...

...and yes, I've repeatedly had to rework code in real products for this
reason.

Thor

References:
- Which password cipher ?
  - From: Joel Carnat
- Re: Which password cipher ?
  - From: Julio Merino
- Re: Which password cipher ?
  - From: Andrew Doran
- Re: Which password cipher ?
  - From: Thor Lancelot Simon
- Re: Which password cipher ?
  - From: Steven Bellovin

Prev by Date: Re: Which password cipher ?
Next by Date: Re: Which password cipher ?
Previous by Thread: Re: Which password cipher ?
Next by Thread: Re: Which password cipher ?
Indexes:

Home | Main Index | Thread Index | Old Index