Md5crypt Password scrambler is no longer considered safe by author¶
This issue has been assigned: CVE-2012-3287
Please note: If you don’t know the difference between MD5 and md5crypt, you should figure it out before reading any further.
The md5crypt password scrambler was created in 1995 by yours truly and was, back then, a sufficiently strong protection for passwords.
New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days.
As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.
I will NOT design the next standard password scrambler, I am not a card-carrying cryptographer, and don’t want to be hazzeled by those who are.
But I will give the following guidance to the process:
On a state of the art COTS computer, the algorithm should take at the very least 0.1 second (100 milliseconds) when implemented in software, preferably more.
Some kind of “round count” parameter should be made run-time tweakable so that the runtime/complexity can be increased over time by system administrators.
The algorithm should be based on repeated data-dependent iterations of several different complex one-way hash functions (MD5, SHA1, SHA2, BLOWFISH, you name it, use them all) in order to “soak up area” in hardware based attack implementations.
Please notice that there is _no_ advantage in everybody in the world using the exact same algorithm, quite the contrary in fact.
All major internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm (consisting of course of standard one-way hash functions like SHA2 etc) for their site, in order to make development of highly optimized password brute-force technologies a “per-site” exercise for attackers.
Thanks for listening,
And thanks for using my code.
Poul-Henning Kamp
2012-06-07