Hi! On Wed, 16 Aug 2000 emm@eggler.ch wrote:
In my eyes, Robert is right and the initial statement (10th of second vs. centuries) is wrong (in the case of dictionary attacks). The only speed difference can be found in the speed difference of the crypt() vs. the MD5 algorithm. So the above statement implies that the MD5 algorithm is 10^n (n >> 1000000) slower than crypt's, which I don't belive.
From days to months is not a factor of 10^1000000. Even from a few days to a couple of centuries is more like a factor of about 10^4 or 10^5. I have not benchmarked MD5 myself, but eks-blowfish can easily be made much slower than that without bothering the regular user.
Also the way salt (and, if applicable, cost) are used a in some algorithms dramatically increases the time needed by a cracker as compared to crypt().
Anyway, if you have somebody on your system that can steal the /etc/shadow file (which is only accessible by root) than your system is already lost.
Not necessarily (see the logs of CERT and Bugtraq), but of course it is best to have /etc/shadow untouched. Cheers! Yuri. -------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------