[15887] in bugtraq
Re: @stake Security Advisory: NetZero Password Algorithm
daemon@ATHENA.MIT.EDU (Damien Miller)
Fri Jul 21 16:16:18 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0007211201171.10976-100000@mothra.mindrot.org>
Date: Fri, 21 Jul 2000 12:02:39 +1000
Reply-To: Damien Miller <djm@MINDROT.ORG>
From: Damien Miller <djm@MINDROT.ORG>
X-To: Dan Kaminsky <dankamin@CISCO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <056d01bff138$e84100e0$16ab44ab@cisco.com>
On Tue, 18 Jul 2000, Dan Kaminsky wrote:
> Of course, the obvious question is how a system verify the correctness of a
> password without actually posessing that password. It's a question that's
> rather repeatedly answered. Password handling is simultaneously one of the
> few Solved Problems of Cryptography *and* one of the most misunderstood.
> Simply store a MD5 or SHA-1 one-way hash of the password.
Salted I hope, unless you like dictionary attacks.
-d
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)
