[plug] Is Red hat truly flawed?

[Christian]

On Tue, May 02, 2000 at 04:31:38PM +0800, The Thought Assassin wrote:
> > I doubt that most sites actually do this on a regular basis.  If you can
> > get the shadow password file then you're probably going to break a small
> > but significant number of accounts.  It's a pity that bcrypt hasn't been
> > ported to Linux.
> And bcrypt stops you from encrypting your dictionary how?

I'm going to take this question literally and assume you are asking what
prevents bcrypt from being vulnerable to a precomputed dictionary
attack.  The simple answer is that bcrypt uses an 128-bit salt.
Therefore, to store precomputed hashes for even a single password would
take 3.4x10^38 storage places (in bytes, multiply it by the size of the
data to be stored...).  When you compare this to the 12 bit salt used by
DES and often by MD5 (may vary between 12 and 48 in FreeBSD, not sure
about Linux).  This gives 4096 possibilities which obviously makes it
tractable to store precomputed dictionaries; one estimate suggests that
the entire Websters Dictionary could be hashed and stored in 670MB when
using all available optimisations.  This possibility does not exist for
bcrypt.

This is, however, only one of the ways that bcrypt nullifies current
attacks against other password hashing schemes.  If you want to know
more I suggest you see "A Future-Adaptable Password Scheme" by Niels
Provos and David Mazieres -- for memory it was part of a USENIX
conference a few years ago.  The bcrypt() function is a standard part of
OpenBSD and you can get more information on it from the web site.

Regards,

Christian.