01-31-2006
I'm not a crypto expert, but I have to say that I am not convinced that md5 hashes constitute a successful replacement to the standard unix password hash. Before md5, we had md2 and md4 both of which failed to live up to their promises. In this paper,
Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD demonstrate collisions for md5. It's especially jarring that they can find a collision for md4
by hand, no computer needed. And Bruce Snieder checks in with
Opinion: Cryptanalysis of MD5 and SHA: Time for a new standard. On the other hand, it may be that stuff like md5 is unusually strong when hashing a very short string like a password. But I'm reluctant to use a new algorithm until it has proven itself for awhile.
9 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Sirs,
What is a shadow file,How it be usefull.For my project i have to keep the password in shawdow file also i am doing in php how can i do it.
Thanks in advance,
ArunKumar (3 Replies)
Discussion started by: arunkumar_mca
3 Replies
2. UNIX for Advanced & Expert Users
what does 'x' in the encrypted password field in /etc/shaodw file represent? (3 Replies)
Discussion started by: jbashir
3 Replies
3. Programming
I'm writing a 'C' program on various systems (HP-UX, Solaris, AIX, NCR) which needs to interact with a user's password. Some of my systems are using the shadow password and some are not. It is possible for some of my systems to have /etc/shadow, even though the box is not using the file (I know,... (4 Replies)
Discussion started by: chrisc@nwark.ne
4 Replies
4. Solaris
my etc/shadow file showing *LK* for a particular user.. can u tell me under which circumstances a user is locked (5 Replies)
Discussion started by: vikashtulsiyan
5 Replies
5. UNIX for Advanced & Expert Users
Does anyone know what "!!" represents in the password field of the /etc/shadow file? :confused: (6 Replies)
Discussion started by: avcert1998
6 Replies
6. UNIX for Dummies Questions & Answers
I see conflicting definitions for the shadow file. For Solaris, what are the fields please? Thanks. (3 Replies)
Discussion started by: DavidS
3 Replies
7. UNIX for Dummies Questions & Answers
As a part of linux hardening
In shadow file all Application accounts which are not locked must contain only an asterisk “*” in the Passwd field.
But how would i do it by using command?
Is there any way other than modifying shadow file to accomplish this task? (3 Replies)
Discussion started by: pinga123
3 Replies
8. Cybersecurity
I'm doing some labs regarding password cracking on Linux machines. I took the shadow file from one of my virtual machines and it looks like below:
bruno:$1$mrVjnhtj$bg47WvwLXN4bZrUNCf1Lh.:14019:0:99999:7:::
From my understanding the most important piece regarding password cracking on linux... (1 Reply)
Discussion started by: bcaseiro
1 Replies
9. UNIX for Advanced & Expert Users
I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the... (5 Replies)
Discussion started by: Anne Neville
5 Replies
otp(3tcl) RFC 2289 A One-Time Password System otp(3tcl)
__________________________________________________________________________________________________________________________________________________
NAME
otp - One-Time Passwords
SYNOPSIS
package require Tcl 8.2
package require otp ?1.0.0?
::otp::otp-md4 ?-hex? ?-words? -seed seed -count count data
::otp::otp-md5 ?-hex? ?-words? -seed seed -count count data
::otp::otp-sha1 ?-hex? ?-words? -seed seed -count count data
::otp::otp-rmd160 ?-hex? ?-words? -seed seed -count count data
_________________________________________________________________
DESCRIPTION
This package is an implementation in Tcl of the One-Time Password system as described in RFC 2289(1). This system uses message-digest
algorithms to sequentially hash a passphrase to create single-use passwords. The resulting data is then provided to the user as either
hexadecimal digits or encoded using a dictionary of 2048 words. This system is used by OpenBSD for secure login and can be used as a SASL
mechanism for authenticating users.
In this implementation we provide support for four algorithms that are included in the tcllib distribution: MD5(2), MD4(3), RIPE-MD160(4) and SHA-1(5).
COMMANDS
::otp::otp-md4 ?-hex? ?-words? -seed seed -count count data
::otp::otp-md5 ?-hex? ?-words? -seed seed -count count data
::otp::otp-sha1 ?-hex? ?-words? -seed seed -count count data
::otp::otp-rmd160 ?-hex? ?-words? -seed seed -count count data
EXAMPLES
% otp::otp-md5 -count 99 -seed host67821 "My Secret Pass Phrase"
(binary gibberish)
% otp::otp-md5 -words -count 99 -seed host67821 "My Secret Pass Phrase"
SOON ARAB BURG LIMB FILE WAD
% otp::otp-md5 -hex -count 99 -seed host67821 "My Secret Pass Phrase"
e249b58257c80087
REFERENCES
[1] Haller, N. et al., "A One-Time Password System", RFC 2289, February 1998. http://www.rfc-editor.org/rfc/rfc2289.txt
[2] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, MIT and RSA Data Security, Inc, April 1992. (http://www.rfc-edi-
tor.org/rfc/rfc1321.txt)
[3] Rivest, R., "The MD4 Message Digest Algorithm", RFC 1320, MIT, April 1992. (http://www.rfc-editor.org/rfc/rfc1320.txt)
[4] H. Dobbertin, A. Bosselaers, B. Preneel, "RIPEMD-160, a strengthened version of RIPEMD" http://www.esat.kuleuven.ac.be/~cosi-
cart/pdf/AB-9601/AB-9601.pdf
[5] "Secure Hash Standard", National Institute of Standards and Technology, U.S. Department Of Commerce, April 1995.
(http://www.itl.nist.gov/fipspubs/fip180-1.htm)
BUGS, IDEAS, FEEDBACK
This document, and the package it describes, will undoubtedly contain bugs and other problems. Please report such in the category otp of
the Tcllib SF Trackers [http://sourceforge.net/tracker/?group_id=12883]. Please also report any ideas for enhancements you may have for
either package and/or documentation.
SEE ALSO
SASL, md4, md5, ripemd160, sha1
KEYWORDS
hashing, message-digest, password, rfc 2289, security
CATEGORY
Hashes, checksums, and encryption
COPYRIGHT
Copyright (c) 2006, Pat Thoyts <patthoyts@users.sourceforge.net>
otp 1.0.0 otp(3tcl)