[sf-lug] For SysAdmins upgrading of the hashing algorithm

Steve M Bibayoff bibayoff at gmail.com
Fri Jun 8 19:50:28 PDT 2012


On Fri, Jun 8, 2012 at 7:21 PM, Rick Moen <rick at linuxmafia.com> wrote:

> [...] If they'd been
> stored using a computationally more expensive hashing method like
> SHA-512 or Blowfish _and_ using salt, they would have been a great deal
> more difficult to match to plaintext, even ignoring the obviously poor
> security on hash storage.

Which brings up somewhat of a debate I've been trying to start for a
few years. Having individual salts for EACH password.

When you have millions of users, even with a salt, it's real easy to
pick out the bad passwords(think "password", or in the case on
linkedin "link"), because they all have the same hash. Just pick out
the identical hashes that are used most, and chances are it's an easy
to guess, dictionary password. But, with each password having it's own
salt, even with a really bad password, it would be hard to single them
out because the hashes would all be different.

Of course Rick's comment about being able to grab the shadow file does
mean game is over on that system.



More information about the sf-lug mailing list