What I propose, with regard to password hashing, is something like

I must need some more coffee this morning. The weakness is that I could (in advance) create a reasonable-sized dictionary (maybe a billion entries, a few gigabytes total) using salts consisting only of timestamps chosen near the expected time. When I begin the attack on your hashed password, my odds of having your hash in my dictionary might be pretty good. But that's a lot of work to attack something that you said is not especially sensitive, so maybe it is a non-issue. -----Original Message----- From: Alan Rouse Sent: Friday, July 12, 2002 10:31 AM To: suse-security@suse.com Subject: RE: [suse-security] Request for comment: Custom MD5 password hashes Scott Courtney wrote: this:

Let string1 = login . "\n" . password . "\n" . iso_timestamp_string

(example: "myaccount\nV3rY53cr37\n20020712094952")

Let hash = md5sum(string1) Store login . "\n" . iso_timestamp_string . "\n" hash in the

equivalent

of the shadow file. (example: "myaccount\n20020712094952\na66c43e395f555447aad298a538f5e38")

You'd be better off using a random function to generate the salt, rather than using a timestamp. Assuming your computer's clock is set somewhere close to true time (or that the delta can be learned), if I know when you changed your password I could use this information to accelerate my attack by making informed guesses about the salt value. Of course if your random function is seeded with the timestamp then the two are equivalent. Depending on your platform, if you use the unix /dev/random, or the java SecureRandom class you should be in great shape.