LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 02-11-2006, 06:13 PM   #1
swiadek
LQ Newbie
 
Registered: Feb 2006
Distribution: Ubuntu v5.1
Posts: 16

Rep: Reputation: 0
Password Encryption: DES, MD5, Blowfish.


Password Encryption: DES, MD5, Blowfish.

What should be considered when choosing Password Encryption format ?

Why do some distributions default to Blowfish when according to Linux Install DES is reported as Linux Default ?

What effect has the Password Encryption format when using Linux in multi operating systems environment. Let's say Linux, Windows, NetWare and MacOS.

What effect has the Password Encryption format when Linux network spans across North America, Europe, Asia and Africa ?

How can Password Encryption Format be changed after Linux system is already installed and configured ?

Are there other Password Encryption format beside DES, MD5, Blowfish ?
 
Old 02-11-2006, 07:50 PM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
When is it due?
 
Old 02-12-2006, 01:17 AM   #3
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Quote:
Originally Posted by swiadek
What should be considered when choosing Password Encryption format ?
Of the 3 algorithms mentioned, the one based on blowfish takes a longer time to brute-force. This is a plus. MD5 will no longer be considered an option for cryptographic use as it's known to be vulnerable.

Quote:
Why do some distributions default to Blowfish when according to Linux Install DES is reported as Linux Default ?
DES has been phased out. Some distributions use blowfish by default because it's better and both DES & MD5 are no longer considered secure.

Quote:
What effect has the Password Encryption format when using Linux in multi operating systems environment. Let's say Linux, Windows, NetWare and MacOS.
If it's used for authentication then there's no problem if it's centralized. You may then use LDAP, Kerberos, NIS, Samba... Another issue may be migration: if the new system doesn't understand the format, you have to reset passwords and make people introduce new ones.

Quote:
How can Password Encryption Format be changed after Linux system is already installed and configured ?
Yeah, it's possible.
 
Old 02-12-2006, 04:07 PM   #4
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
Quote:
Originally Posted by Berhanie
When is it due?
LOL my thoughts exactly. Beat me to it
 
Old 02-12-2006, 07:53 PM   #5
frob23
Senior Member
 
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: Ubuntu, FreeBSD, NetBSD
Posts: 1,449

Rep: Reputation: 47
Quote:
Originally Posted by primo
MD5 will no longer be considered an option for cryptographic use as it's known to be vulnerable.
Do you have a reference for this as it relates to passwords? I would be interested in seeing it.

Please note: md5 passwords used for *nix are salted, I have a feeling you're referencing a MySQL issue or a file integrity issue, both of which are vastly different. If I am wrong, I really would be interested in seeing something about it.

Last edited by frob23; 02-12-2006 at 07:57 PM.
 
Old 02-12-2006, 08:54 PM   #6
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
With MD5, people have found "collisions", i.e. two different files having the same MD5 hash. This is the reason some people are questioning it. As far as I know, noone has been able to start with a fixed (in the sense of mathematics) file A, and produce a different file B having the same MD5 hash.
 
Old 02-12-2006, 09:04 PM   #7
frob23
Senior Member
 
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: Ubuntu, FreeBSD, NetBSD
Posts: 1,449

Rep: Reputation: 47
Quote:
Originally Posted by Berhanie
With MD5, people have found "collisions", i.e. two different files having the same MD5 hash. This is the reason some people are questioning it. As far as I know, noone has been able to start with a fixed (in the sense of mathematics) file A, and produce a different file B having the same MD5 hash.
Yes, I know this but file collisions are unrelated to passwords in many ways. File md5s are unsalted, the samples are much larger (giving more opportunity to "correct" for differences), and so on. If there is a report which investigated these concerns and found a reason to suspect md5 as insecure in passwords, I would like to see it.

While I do not place unfailable trust in any method of encryption, I have selected md5 passwords across my network (and other computers I have setup)... if there is a reason to change this, I would be interested in seeing it. I have looked myself after I first read the comment above but been unable to find anything on it.
 
Old 02-13-2006, 04:27 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The forum rules do not posting of homework questions. Please visit http://www.linuxquestions.org/linux/rules.php for more information. Feel free to contact the forum admin if you have any questions about this policy.

I'm closing this thread
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Password Encryption: DES, MD5, Blowfish. swiadek Linux - General 1 02-13-2006 05:25 AM
Password Encryption After MD5 Deprecation ombill Fedora 1 08-22-2005 05:16 PM
change password encryption to DES? (gentoo) gyost Linux - Security 0 02-15-2005 01:54 PM
How can I tell if my distro is using md5 or blowfish LinuxHawk Linux - Security 1 01-25-2005 09:41 PM
enabling blowfish password hash on RedHat linux appadesai Linux - General 0 04-05-2003 07:20 AM


All times are GMT -5. The time now is 01:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration