Blowfish support in crypt() (glibc) ?
rogelio at smsglobal.net
Mon Jun 7 19:52:03 PDT 2004
On 2004-06-08 09:37:05 +0800 Ian Molton <spyro at f2s.com> wrote:
> On Tue, 8 Jun 2004 11:20:26 +1000
> Ryan.Oliver at pha.com.au wrote:
>> Like all security you have to choose what you apply where to
>> suit the
>> individual requirements of your implementation depending on
> and, of course, this is HLFS...
> the question is... which is best? new (unproven) code for a
> better hash,
> or old proven code for a weaker but still very good hash?
Its not new code. It has been used by openbsd for a long time.
dictionary attacks against md5 is very easy and fast. unless
all users use random numbers for passwords, md5 will be a weak
password hash. i am using blowfish in my system and it has a
large number of rounds that it takes 3 seconds to compute the
password hash. actually im using the srp verifier instead of
the actual hash. that way remote srp logins are very easy to
support and its possible to use it as an alternative to ssh.
More information about the hlfs-dev