Hi, On Wed, 16 Aug 2000, Roman Drahtmueller wrote:
Nevertheless: If an attacker has access to your encrypted passwords, you're in trouble anyway. There is a difference btw a 10th of a second and several days for cracking the passwords, but the result is basically the same, isn't it?
It's not a matter of a 10th of a second versus several days. If you use MD5, or an even better algorithm, it's the difference between a 10th of a second or a couple of years at the very least (or even centuries, if we ignore technological advances). A 10th of a second is a big problem, and a couple of days is not significantly better of course. But after a couple of years any sensible person would have changed their password, and after a couple of centuries most people would be dead anyway. It all depends on your needs of course, mainly on the time you need your data to be safe, and of course on how often you change your password. For me changing to bcrypt would be well worth the trouble. Cheers! Yuri. -------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------