> You do realize that MD5 has been _fully_ broken now, don't you? And I'm > not talking about dictionary attacks; I'm talking about a fast > mathematical attack vector on the algorithm itself. This isn't really about storing MD5s for any length of time, it's about migrating a bunch of existing MD5 hashes into the directory from another directory that stores them (and doesn't support SSHA-512 or anything similar). Also, a couple of points: * The MD5 hashes aren't publically available. To generate a collision on a hash you have to have the hash, and if the server won't let you read the hash then you're stumped. Until, of course, you break the root DN password of the DS, in which case the security of MD5 is the least of your worries. * The MD5 collision generators can generate (quickly) two strings that have the same MD5 checksum. We cannot (yet) quickly generate a string that has a chosen checksum. Manipulating a piece of data to have the checksum you want (i.e. MD5 password cracking) is a hell of a lot more difficult than finding a colision between two bits of random data. The walls are down on this, though, and generating a piece of data with a chosen checksum is probably a few years away. Long enough to begin and conclude a password migration strategy. * It's still safer than storing clear text. -- Del
