Blowfish support in crypt() (glibc) ?

Rogelio Serrano rogelio at smsglobal.net
Mon Jun 7 19:52:03 PDT 2004


On 2004-06-08 09:37:05 +0800 Ian Molton <spyro at f2s.com> wrote:

> On Tue, 8 Jun 2004 11:20:26 +1000
> Ryan.Oliver at pha.com.au wrote:
> 
>> Like all security you have to choose what you apply where to 
>> suit the
>> individual requirements of your implementation depending on 
>> its
>> exposure.
> 
> and, of course, this is HLFS...
> 
> the question is... which is best? new (unproven) code for a 
> better hash,
> or old proven code for a weaker but still very good hash?
> 

Its not new code. It has been used by openbsd for a long time. 
dictionary attacks against md5 is very easy and fast. unless 
all users use random numbers for passwords, md5 will be a weak 
password hash. i am using blowfish in my system and it has a 
large number of rounds that it takes 3 seconds to compute the 
password hash. actually im using the srp verifier instead of 
the actual hash. that way remote srp logins are very easy to 
support and its possible to use it as an alternative to ssh.




More information about the hlfs-dev mailing list