Re: what percent of time are there unpatched exploits against default config?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hello Johnny,

On Sat, 2011-12-31 at 08:13 -0600, Johnny Hughes wrote:
> http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
> 
> http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/

These articles fail to clarify even the most basic of assumptions they
make. I can only guess the numbers relate to the cracking of MD5 hashes
(salted or unsalted?) and access to the /etc/shadow file.

On CentOS-6 password hashes are no longer stored as MD5, but as SHA-512
hashes. Apparently the SHA hashing algorithms as used by Red Hat have a
configurable iterator count much like bcrypt
( http://en.wikipedia.org/wiki/Crypt_%28Unix%29 "SHA2-based scheme").

Also, the only way for an attacker to have access to /etc/shadow is to
already have root access to your system in which case you are already
faqed.

Imo the weakness of MD5 hashes is more of a concern for web applications
where an attacker might gain access to (part of) your database via f.e.
SQL injection. This is why a proper web application will use a bcrypt
hash to store passwords. As the amount of iterations bcrypt uses is
configurable the algorithm can scale with increasing processing power.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux