[clug] [OT] all text passwords == secure?
Martijn van Oosterhout
kleptog at svana.org
Tue Aug 28 01:49:16 MDT 2012
On Tue, Aug 28, 2012 at 08:59:03AM +1000, Scott Ferguson wrote:
> The difference between brute forcing 8 characters and brute forcing 25
> characters is greater by a large factor than the difference between
> brute forcing 8 characters and a dictionary attack on 4 words - even if
> the speed of the attack is only a million attempts per second.
Note that the hash used is also relevent. If the hashing occurs with
MD5 the result has only 16 bytes so there's a really good chance that
there are *lot* of 25 character passwords that generate the same hash.
I guess this is why /etc/shadow these days apparently uses SHA-512. But
I bet there's a lot of sites out there still using MD5.
Have a nice day,
Martijn van Oosterhout <kleptog at svana.org> http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.
-- Arthur Schopenhauer
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 828 bytes
Desc: Digital signature
More information about the linux