PHK's MD5 might not be slow enough anymore
RW
rwmaillists at googlemail.com
Thu Jan 28 22:40:26 UTC 2010
On Thu, 28 Jan 2010 16:24:43 -0500
Roger <rnodal at gmail.com> wrote:
> What would be the consequence of having an algorithm that will
> increase the amount of time needed to check the next password after a
> failure.
The point of slowing down the algorithm is to protect against off-line
attack where an attacker has gained access to a copy of master.passwd.
Any hashing has to be done when the password is set, so it's fixed
thereafter.
More information about the freebsd-security
mailing list