On Mon, 2013-03-25 at 11:40 +0000, Charles Bradshaw wrote: > Yes I understand and accept the weakness of MD5. In the world of > exponentially increasing processing power there will always be weakness, > of ANY scheme. > The question is not however about the efficacy of encryption methods! > It's about how to achieve password hashing in a mysql database. > I have indicated how to use AES. Its' strength however is compromised by > the necessity of revealing the key in many places. > I would be most great-full, if anybody KNOWS: > Is there a way to store MD5 hashed passwords when using the mysql > plugin? I have no clue. BUT I still wonder what the end-goal is. If you are actually worried about theft of the underlying database then it would seem volume encryption is the correct answer - encrypt the entire database, on disk. That isn't hard and doesn't require modification of any software. Anyway, storing essentially clear-text credentials in the authorization database (be it a KDC, an LDAP server, an Active Directory server, etc...) is normal, accepted, and common. Most worthwhile authorization schemes require an 'effectively' clear-text secret on both ends. Guard the credential database and ensure communication channels are secure [encrypted]. "Make /etc/passwd useless" is an abandoned meme, you cannot win that fight. > Security through obscurity is always a bad principle. No one here is recommending that or stating that it is. > On Mon, 2013-03-25 at 08:59 +1030, Daniel O'Connor wrote: > > On 25/03/2013, at 7:33, Charles Bradshaw <brad@xxxxxxxxxxxxxxxxxxxxx> wrote: > > >> That seems very wrong to me. > > > It might be a kludge, but it's not wrong. It avoids storing plain text > > > passwords, which are always a risk. The purpose of MD5 digest is to make > > > passwords truly private to the user. Not even root knows users passwords > > > when stored in shadow(MD5). > > > The only risk to shadow passwords is a brute force attack which is > > > relatively easy to detect and foil. > > FYI a single round of MD5 is considered quite weak these days. > > The whole point of hashing a password is to make it difficult to find a password if the password DB is leaked. MD5 is no longer sufficient for this (even with salt). > > A modern GPU can brute force billions of passwords per second and humans suck at generating them. ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
