|
|
 |
| New User, Welcome! Login |
Re: [R7-0035] VxWorks Authentication Library Weak Password Hashing
| From: |
Solar Designer <solar openwall com> |
| To: |
HD Moore <HD_Moore rapid7 com> |
| Cc: |
"bugtraq securityfocus com" <bugtraq securityfocus com> |
| Subject: |
Re: [R7-0035] VxWorks Authentication Library Weak Password Hashing |
| Date: |
Tue - Aug 03, 2010 08:41 AM |
On Mon, Aug 02, 2010 at 11:55:05PM -0400, HD Moore wrote:
> -- Vendor Response:
> Wind River Systems has notified their customers of the issue and
> suggested that each downstream vendor replace the existing hash
> implementation with SHA512 or SHA256.
Like, without salting and stretching/strengthening? That's not the best
suggestion. I try to explain this without going into too much detail here:
http://www.openwall.com/articles/PHP-Users-Passwords#salting
At this time, vendors should implement either bcrypt (Blowfish-based):
http://www.openwall.com/crypt/
or SHA-crypt (usually the kind of it based on SHA-512, because that
makes better use of 64-bit CPUs):
http://www.akkadia.org/drepper/sha-crypt.html
There's almost no security difference between these two. Both should
be replaced with something even better eventually - along the lines of
scrypt (adding more parallelism and configurable memory cost) - but
we're not ready for that yet (no peer-reviewed and agreed upon
implementation to recommend to vendors, even though some ideas in this
area have been floating around since 1990s).
Alexander
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
