Re: password length

From: Michael W. Cocke (cocke_at_catherders.com)
Date: 06/27/04 

Date: Sun, 27 Jun 2004 14:36:28 -0400

On Sun, 27 Jun 2004 16:37:11 +0000 (UTC), unruh@string.physics.ubc.ca
(Bill Unruh) wrote:

>Michael W. Cocke <cocke@catherders.com> writes:
>
>]On Sun, 27 Jun 2004 12:24:00 +0200, Hans Schilling
>]<news@compuserve.de> wrote:
>
>]>But what is the different between DES and MD5 ?
>]>
>]>Thanks.
>]>
>]>Hans.
>
>]The short answer (for non-cryptographers) is "Different encryption
>]methods".
>
>It is NOT encryption. It is hashing -- reducing an input into a random
>seeming output of fixed length-- 64 bits in teh case of the crypt(3) DES
>based hash, 128 bits in the case of the MD5 based hash.
>
>]More detail follows for those who care -
>
>]DES is the US Data Encryption Standard, which was broken a few years
>]ago but takes much horsepower to reverse.
>
>It has not been broken. Rather its password length is too short, and trying
>every password until one works can now be done.
>
>DEs is not used as a crypto -- instead it is used as a hash of the key.
>-- zero is encrypted 25 times with the password, and the output is the hash
>of the password. It cannot be reversed.
>
>
>
>
>]Message Digest ver 5 (MD5) takes as input a message of arbitrary
>]length and produces as output a 128-bit "fingerprint" or "message
>]digest" of the input.
>
>MD5 is NOT used per se in the MD5 based hash. Instead MD5 is reused
>multiple times with further bit rotations, shiftings,... in order to slow
>down the hashing.
>
>]The MD5 algorithm is actually intended for digital signature
>]applications, not really crypto at all, but it works acceptably
>]because it's computationally infeasible to produce two messages having
>]the same message digest. In principal, similar to a CRC32.
>
>MD5 is a hash, and it is used as a hash in the password algorithm.
>It is NOT used as an encryption. There is no way, no password and no
>algorithm, which will take the entry in the /etc/passwd or /etc/shadow file
>and create the password again.
>Ie, the password algorithms are not encryptions, they are hashes. And they
>work by hashing the entered password and seeing if it matches the original.
>Thus there is some probability that more than one password would equally
>well on any account. Finding even one is however very very difficult.
>
>The advantage of the MD5 based passwords is that instead of 8 characters,
>they effectively use 16 for the password (it can use an arbitrary length
>password stream, but the probablility is very high that there exists some
>16 chacter(8 bit character) password which would also work. ) This makes
>exhaustive search much more difficult.
>
>
>
>
>]Mike-
>
>]--
>]If you're not confused, you're not trying hard enough.
>]--
>
>If you are not confusing others, you are not trying hard enough.

Bill, calling something a hash and acting as though that's a magic
word doesn't make you correct. My knowledge of the subject of data
reduction and encryption is a bit dated, but at one point I knew a
fair bit about it, and I stand by what I said.

Mike- 

--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,
----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---