Xin LI writes: > The slowness was useful at the time when the code was written, but I don't > think it would buy us as much nowadays, expect the slowness be halved from > time to time, not to mention the use of distributed techniques to > accelerate the build of dictionaries.
The goal is to make the attacker *have* to use distributed techniques and to buy more gear, rather than simply be able to brute them all in a few minutes on a single cheap PC. MD5_SLOW is the factor by which you increase the attacker's cost; it is easy for the defender to go very high here because checking any one password is still fast. Distributed attacks existed when PHK wrote the code originally, too -- I don't think anything has fundamentally changed since then. Attackers use arrays of GPUs now? Ok, increase MD5_SLOW some more. > Second, recent research has shown MD5 to be vulnerable to collision > attacks [1] by the end of 2008. I'm not sure that attack against MD5 is relevant here, because we're not using it in a way where collisions hurt. (Someone correct me if I'm wrong.) In fact, moving to a modern hash would weaken the defense, because e.g. Skein is brilliantly fast -- the opposite of our goal. See also: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html """The major advantage of adaptive hashing is that you get to tune it. As computers get faster, the same block of code continues to produce passwords that are hard to crack.""" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
