Re: To be a new DFly commiter

["Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>]

Grzegorz Błach wrote:
> Brute-force algoritm with collision can take password 100 time faster
> than brute-force without brute-force.

How do you prove this claim?  AFAIK collision attacks need to know the plain text.  Trying to brute-force a password means not having it in plain text.  Hence collisions do not play any role.

> Atacker not must stole password file, attack can be made from local
> network too.
> We can don't change password_format and still use md5,
> but we can change it to blowfish, maybe this is not a big issue,
> but for fix it, we must change only one record in /etc/login.conf.
> This is very trivial.

Yes, I also don't see any reason why we *have* to stick to md5.  However, I also don't see any reason why we should switch to blowfish.

cheers
 simon

PS: could you please trim excessive quotes when replying?  thanks.

--
Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low €€€ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \

Attachment: signature.asc
Description: OpenPGP digital signature