Password Encryption: DES, MD5, Blowfish.
 

Password Encryption: DES, MD5, Blowfish.

What should be considered when choosing Password Encryption format ?

Why do some distributions default to Blowfish when according to Linux Install DES is reported as Linux Default ?

What effect has the Password Encryption format when using Linux in multi operating systems environment. Let's say Linux, Windows, NetWare and MacOS.

What effect has the Password Encryption format when Linux network spans across North America, Europe, Asia and Africa ?

How can Password Encryption Format be changed after Linux system is already installed and configured ?

Are there other Password Encryption format beside DES, MD5, Blowfish ?

When is it due?

Of the 3 algorithms mentioned, the one based on blowfish takes a longer time to brute-force. This is a plus. MD5 will no longer be considered an option for cryptographic use as it's known to be vulnerable.

DES has been phased out. Some distributions use blowfish by default because it's better and both DES & MD5 are no longer considered secure.

If it's used for authentication then there's no problem if it's centralized. You may then use LDAP, Kerberos, NIS, Samba... Another issue may be migration: if the new system doesn't understand the format, you have to reset passwords and make people introduce new ones.

Yeah, it's possible.

LOL my thoughts exactly. Beat me to it :)

Do you have a reference for this as it relates to passwords? I would be interested in seeing it.

Please note: md5 passwords used for *nix are salted, I have a feeling you're referencing a MySQL issue or a file integrity issue, both of which are vastly different. If I am wrong, I really would be interested in seeing something about it.

With MD5, people have found "collisions", i.e. two different files having the same MD5 hash. This is the reason some people are questioning it. As far as I know, noone has been able to start with a fixed (in the sense of mathematics) file A, and produce a different file B having the same MD5 hash.

Yes, I know this but file collisions are unrelated to passwords in many ways. File md5s are unsalted, the samples are much larger (giving more opportunity to "correct" for differences), and so on. If there is a report which investigated these concerns and found a reason to suspect md5 as insecure in passwords, I would like to see it.

While I do not place unfailable trust in any method of encryption, I have selected md5 passwords across my network (and other computers I have setup)... if there is a reason to change this, I would be interested in seeing it. I have looked myself after I first read the comment above but been unable to find anything on it.

The forum rules do not posting of homework questions. Please visit http://www.linuxquestions.org/linux/rules.php for more information. Feel free to contact the forum admin if you have any questions about this policy.

I'm closing this thread