Re: password hash in shadow file
- Date: Tue, 13 Mar 2018 21:20:19 +0100
- From: <tomas@xxxxxxxxxx>
- Subject: Re: password hash in shadow file
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Mar 13, 2018 at 07:36:19PM +0100, Sven Hartge wrote:
> tomas@xxxxxxxxxx wrote:
> > Well, to be fair, the change to SHA-1 is because you can "reverse" MD5
> > all too easily
> Yes, basically.
> > But I don't think your operating system is going to do that behind
> > your back ;-)
> It would be quite obvious when just starting "passwd" takes several days
> while it cracks your MD5 hash to replace it with a stronger one ;)
And possibly eat through a disk or two (or are rainbow tables
superfluous with current GPUs? I don't know).
All that to choose quite probably a *different* password which happens
to hash to the same MD5. Login no more possible, but now secure :)
> But on that note: I wonder of one could create a PAM module which will
> do just that on successful login. Once you *know* you have the right
> password (and the PAM system has that knowledge including the plain text
> password the user entered) just rehash it and update /etc/shadow.
> This will gradually upgrade all hashes once a user uses an account.
That would be downright sneaky :-)
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----