PHK's MD5 might not be slow enough anymore
RW
rwmaillists at googlemail.com
Fri Jan 29 00:53:36 UTC 2010
On Thu, 28 Jan 2010 17:53:30 -0500
Roger <rnodal at gmail.com> wrote:
> >
> > The point of slowing down the algorithm is to protect against
> > off-line attack where an attacker has gained access to a copy of
> > master.passwd.
>
> When say "off-line attack" do you refer to the attacker running a
> brute force attack on his/her machine?
Yes
> I'm assuming that by using a slow algorithm the attacker is forced to
> use the same slow algorithm to check the passwords?
Hopefully
> > Any hashing has to be done when the password is set, so it's fixed
> > thereafter.
>
The thread is about password hashing, which is not a mechanism to
slow-down and back-off login attempts.
More information about the freebsd-security
mailing list