Karl Ferguson writes ("Re: md5sum passwords"):
> I know what you're all saying, but I'd definately like the MD5 in place as an
> optional extra. Isn't that possible? The extra security as an Internet
> Provider is a much needed asset...
As I wrote earlier, MD5 used in this way is not significantly more
secure than traditional crypt. The problem with Unix passwords isn't
the length limit, it's the poor diversity and the ease with which an
attacker can test a guess.
The poor diversity can be protected by making guessing harder; that's
what my proposal is intended to do.
I dread to think what the consequences will be if we try to go through
all of our programs making sure that they cope with longer passwords
and longer encrypted passwords, and in any case there would be little
point since it doesn't solve either of the problems.
I agree with Andrew Fernandes's comments.
Ian.
