Blowfish support in crypt() (glibc) ?

Robert Connolly robert at
Mon Jun 7 14:20:44 PDT 2004

On June 7, 2004 10:05 am, Bennett Todd wrote:
> 2004-06-07T01:58:05 Robert Connolly:
> > Md5 isn't very good anymore.
> Could you please expand on that?
> What I've heard is that weakened varients (reduced rounds?) have
> been shown vulnerable to attack, but so far as I know standard MD5
> hasn't. And in some applications, a 128-bit hash like MD5 is
> vulnerable to a Birthday attack where a bigger one, like e.g. SHA1
> (160 bits) isn't.
> But "attack" means something very different for a cryptographic hash
> used bare, like MD5 or SHA1 in normal crypto design, and one used
> salted and iterated, like in a passwd file; there the possibility of
> breaking the hash isn't even interesting, the design is focused on
> trying to slow down dictionary attacks.
> What's the problem with MD5 in passwd?

"The problem of attacking MD5 is no longer a theoretical matter - it is a 
business proposition."

It is more likely that 2 (and more) different passwords produce the same hash 
using md5 then when using blowfish. According to that url md5 should have 
been abandoned in 1995. We could also use sha1, but since blowfish is harder 
to crack, sha1 can just be skipped. A dictionary attack depends directly on 
the password used and that attack would be equally successfull with any 
algorithm, excluding cpu time. The blowfish algorithm protects against a 
different style of attack directed against the mathmatics of the hash.

More information about the hlfs-dev mailing list