On 25/03/2013, at 7:33, Charles Bradshaw <brad@xxxxxxxxxxxxxxxxxxxxx> wrote: >> That seems very wrong to me. > > It might be a kludge, but it's not wrong. It avoids storing plain text > passwords, which are always a risk. The purpose of MD5 digest is to make > passwords truly private to the user. Not even root knows users passwords > when stored in shadow(MD5). > > The only risk to shadow passwords is a brute force attack which is > relatively easy to detect and foil. FYI a single round of MD5 is considered quite weak these days. The whole point of hashing a password is to make it difficult to find a password if the password DB is leaked. MD5 is no longer sufficient for this (even with salt). A modern GPU can brute force billions of passwords per second and humans suck at generating them. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
