Why use strong passwords? Post: 302727029

Sponsored Content

Special Forums Cybersecurity Why use strong passwords? Post 302727029 by Neo on Monday 5th of November 2012 02:00:16 PM

11-05-2012

Administrator

Quote:

Obviously, the use of salting does not necessarily improve the strength of the encryption. In fact, especially since the mechanism of DEA is not well understood by cryptanalysts who do not have access to classified files explaining the algorithm, it is possible that salting may have weakened the encryption process.

Frankly, many years ago, I worked on a project to help NIST in the US evaluate the AES algorithm. I even wrote a paper on the topic; but it was not published (public).

Crypto is math, and computing power... and the state of the art changes as computing power changes. What was a great crypto algorithm for the processing power of 10 years ago is just weak "history" today, and the same is true for the crypto today, when we fast forward 10 or more years.

Edit: Anyway, this is mostly "abstract" because when discussing cryptography, we should really not speak in sweeping generalizations; but focus on the exact algorithms, hash functions, length of keys, salt, method of storing both cryptographics hashes and salt, etc.

Neo

View Public Profile for Neo

Visit Neo's homepage!

Find all posts by Neo

2 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Strong quotes and spaces

We ran into a problem because of a shop that uses Windows and UNIX. The file names that Windows uses have spaces in them. When they get moved to the unix system they still have spaces. This produces a problem in our script that moves them again from one unix system to another. I've made up a...

2. UNIX for Advanced & Expert Users

When did UNIX start using encrypted passwords, and not displaying passwords when you type them in?

I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the...

LEARN ABOUT MOJAVE

md5crypt

md5crypt(n)						   MD5-based password encryption					       md5crypt(n)

__________________________________________________________________________________________________________________________________________________

NAME

       md5crypt - MD5-based password encryption

SYNOPSIS

       package require Tcl  8.2

       package require md5  2.0

       package require md5crypt  ?1.1.0?

       ::md5crypt::md5crypt password salt

       ::md5crypt::aprcrypt password salt

       ::md5crypt::salt ?length?

_________________________________________________________________

DESCRIPTION

       This  package  provides	an implementation of the MD5-crypt password encryption algorithm as pioneered by FreeBSD and currently in use as a
       replacement for the unix crypt(3) function in many modern systems. An implementation of the closely related Apache MD5-crypt is also avail-
       able.  The output of these commands are compatible with the BSD and OpenSSL implementation of md5crypt and the Apache 2 htpasswd program.

COMMANDS

       ::md5crypt::md5crypt password salt
	      Generate a BSD compatible md5-encoded password hash from the plaintext password and a random salt (see SALT).

       ::md5crypt::aprcrypt password salt
	      Generate an Apache compatible md5-encoded password hash from the plaintext password and a random salt (see SALT).

       ::md5crypt::salt ?length?
	      Generate a random salt string suitable for use with the md5crypt and aprcrypt commands.

SALT

       The salt passed to either of the encryption schemes implemented here is checked to see if it begins with the encryption scheme magic string
       (either "$1$" for MD5-crypt or "$apr1$" for Apache crypt). If so, this is removed. The remaining characters up to the next $ and  up  to  a
       maximum	of  8  characters  are then used as the salt. The salt text should probably be restricted the set of ASCII alphanumeric characters
       plus "./" (dot and forward-slash) - this is to preserve maximum compatability with the unix password file format.

       If a password is being generated rather than checked from a password file then the salt command may be used to generate a random salt.

EXAMPLES

       % md5crypt::md5crypt password 01234567
       $1$01234567$b5lh2mHyD2PdJjFfALlEz1

       % md5crypt::aprcrypt password 01234567
       $apr1$01234567$IXBaQywhAhc0d75ZbaSDp/

       % md5crypt::md5crypt password [md5crypt::salt]
       $1$dFmvyRmO$T.V3OmzqeEf3hqJp2WFcb.

BUGS, IDEAS, FEEDBACK
       This document, and the package it describes, will undoubtedly contain bugs and other problems.  Please report such in the category md5crypt
       of the Tcllib SF Trackers [http://sourceforge.net/tracker/?group_id=12883].  Please also report any ideas for enhancements you may have for
       either package and/or documentation.

SEE ALSO

       md5

KEYWORDS

       hashing, md5, md5crypt, message-digest, security

CATEGORY

       Hashes, checksums, and encryption

COPYRIGHT

       Copyright (c) 2003, Pat Thoyts <patthoyts@users.sourceforge.net>

md5crypt							       1.1.0							       md5crypt(n)