Jump to content

To MD5 or not to MD5


XTF

Recommended Posts

SHA1 is hardly better. bcrypt or an alternative would be optimal, but there are implementation problems that mean it probably won't be happening soon [mostly lack of support and cross-platform compatibility].

If you're interested in a lot of reading, I had a topic on security concerns a couple months ago. It touched on this, among other things. http://community.inv...board-security/

Link to comment
Share on other sites


Is it? For strong long passwords it seems much better. For short passwords maybe not so much.



It suffers from the same fundamental problem that MD5 does, which is that it is a hash function, not a cryptographic method. It is designed to be as fast as possible to calculate, which means that hardware can be optimized to process the hashes extremely quickly--for a modern GPU, hundreds of millions per second. If brute force attacks aren't a concern, the hashing technique is largely irrelevant anyway.
Link to comment
Share on other sites

Doesn't that only work if your salts are too small? If you've got 64 bit salts it'd require you to compute 2^64 rainbow tables. AFAIK computing one table is kinda expensive already, how are you going to compute 2^64?

Link to comment
Share on other sites


Given the power of modern machines and the fact you can use your GPU these days to handle tasks like this as well as the CPU, 2^64 really isn't that un-reachable as you might think.



And since in most systems the salt is stored in plaintext with the password, it's often simpler to do away with rainbow tables and just go straight at it with a CPU/GPU.
Link to comment
Share on other sites


And since in most systems the salt is stored in plaintext with the password, it's often simpler to do away with rainbow tables and just go straight at it with a CPU/GPU.




Exactly. A lot of systems are using considerably outdated password storage mechanisms.
Link to comment
Share on other sites


Given the power of modern machines and the fact you can use your GPU these days to handle tasks like this as well as the CPU, 2^64 really isn't that un-reachable as you might think.



Got a reference for that? Note that we're talking about 2^64 rainbow tables, not 2^64 passwords.


And since in most systems the salt is stored in plaintext with the password, it's often simpler to do away with rainbow tables and just go straight at it with a CPU/GPU.



Storing (part of) the salt in a conf file would alleviate that.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...