It's not a matter of a 10th of a second versus several days. If you use MD5, or an even better algorithm, it's the difference between a 10th of a second or a couple of years at the very least (or even centuries, if we ignore technological advances). A 10th of a second is a big problem, and a couple of days is not significantly better of course. But after a couple of years any sensible person would have changed their password, and after a couple of centuries most people would be dead anyway.
I don't understand that. If someone has your password file he can start a dictionary attack. Is there any difference encrypting words in crypt or MD5 and comparing the result to passwd?
In my eyes, Robert is right and the initial statement (10th of second vs. centuries) is wrong (in the case of dictionary attacks). The only speed difference can be found in the speed difference of the crypt() vs. the MD5 algorithm. So the above statement implies that the MD5 algorithm is 10^n (n >> 1000000) slower than crypt's, which I don't belive. Anyway, if you have somebody on your system that can steal the /etc/shadow file (which is only accessible by root) than your system is already lost. my cent Emmerich