[clug] [OT] all text passwords == secure?

Martijn van Oosterhout kleptog at svana.org
Tue Aug 28 01:49:16 MDT 2012

On Tue, Aug 28, 2012 at 08:59:03AM +1000, Scott Ferguson wrote:
> The difference between brute forcing 8 characters and brute forcing 25
> characters is greater by a large factor than the difference between
> brute forcing 8 characters and a dictionary attack on 4 words - even if
> the speed of the attack is only a million attempts per second.

Note that the hash used is also relevent. If the hashing occurs with
MD5 the result has only 16 bytes so there's a really good chance that
there are *lot* of 25 character passwords that generate the same hash.

I guess this is why /etc/shadow these days apparently uses SHA-512. But
I bet there's a lot of sites out there still using MD5.

Have a nice day,
Martijn van Oosterhout   <kleptog at svana.org>   http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.
   -- Arthur Schopenhauer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/linux/attachments/20120828/c6ec7650/attachment.pgp>

More information about the linux mailing list