PHK says md5crypt() algorithm no longer secure

Posted on June 8, 2012 by Gerard

This week has been interesting with regards to online security: LinkedIn, Last.fm, eHarmony, et al had security issues and breaches.

Not directly related to these breaches, but still in the realm of security, Poul-Henning Kamp, the author of md5crypt(), has said that md5crypt() is no longer secure despite being recommended as a password hashing function. md5crypt is used to encrypt passwords on some FreeBSD systems.

The md5crypt password scrambler was created in 1995 by yours truly and was, back then, a sufficiently strong protection for passwords.

New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days.

As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.

Continues


Related posts:

  1. sysinstall is no longer FreeBSD’s default installer
  2. Accelerating Secure Storage on FreeBSD
  3. China chooses FreeBSD as basis for secure OS
  4. The night of 1000 jails
  5. Reset admin/root password in FreeBSD (howto)


About Gerard

Gerard is a keen user of open source operating systems and software. On this blog he shares FreeBSD news and links that he comes across.
This entry was posted in FreeBSD. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>