On Wed, 16 Aug 2000, Yuri Robbers wrote:
It's not a matter of a 10th of a second versus several days. If you use MD5, or an even better algorithm, it's the difference between a 10th of a second or a couple of years at the very least (or even centuries, if we ignore technological advances). A 10th of a second is a big problem, and a couple of days is not significantly better of course. But after a couple of years any sensible person would have changed their password, and after a couple of centuries most people would be dead anyway.
I don't understand that. If someone has your password file he can start a dictionary attack. Is there any difference encrypting words in crypt or MD5 and comparing the result to passwd? Wouldn't the centuries apply only to cracking the scrambled value but not to a "guessing" approach? Maybe I'm just ignorant. Security would of course be enhanced by allowing more than 8 character passwords. Last I heard there were still issues with NIS. (Not that there's much security left when you use NIS ;-) Cheers Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)