It gets worse...

Jeremy Allison jra at
Fri Aug 20 18:10:49 GMT 2004

On Fri, Aug 20, 2004 at 02:02:52PM -0400, David Brodbeck wrote:
> > -----Original Message-----
> > From: Jeremy Allison [mailto:jra at]
> > "* Weng, Fang, Lai, and Yu have what appears to be a general 
> > method for
> >   finding collisions in MD4, MD5, HAVAL-128, and RIPEMD. They
> >   haven't published any details."
> > 
> > This could be very bad for NTLM auth.....
> Not to mention for (Free|Open|Net)BSD systems, which mostly use MD5
> passwords by default.  (It was thought to be "more secure" than DES.)

Well it is, actually :-). Thinking about this, it's still hard
to do a direct attack on NTLM auth as the MD4 hashes have to
be secret anyway, they're plaintext equivalents in a more direct
way than the BSD MD5 hashes.


More information about the samba-technical mailing list