Andrew <firstname.lastname@example.org> writes:
>I always thought that it was best to store crypted passwords but I
>read recently that hashes are stored rather than crypted versions. I
>have a question about this....
Very few systems have ever stored crypted passwords. Unix systems have
been using hashes with salts since at least when Robert Morris
implemented it in 1978? http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps
Of course in those days, the hash function took over a second to compute.
Don't confuse the name of the function (crypt()) with what it is being
used for. You can also build hash functions out of block ciphers like DES
>I recently came across bcrypt. It caught my eye because it said that
>many systems store passwords as hashes and hashes by their very nature
>are fast to produce, making dictionary attacks possible.
Not necessarily. Hash functions generally haven't been as heavy as the
many rounds of block ciphers used for encryption, but you can do more
rounds and bigger keys in order to beef them up.
Dictionary attacks are possible because CPUs get faster and faster,
and utilizing clouds of computers, or having gobs of storage space for
precomputing steps are possible because computer technology always grows.
> I always thought that in UNIX systems the password was
>stored crypted using a modified form of DES with added salt. It seems
>from the bcrypt article that some versions of UNIX do still do this
>(e.g Linux) but others, notably ones based on freeBSD do not.
No, traditional unix crypt hash function always stored hashes. The
fallback hash store on any modern unix system is still the DES based
hash function in crypt(). BSDi was the first to publicly modify this
(private modifications were in place on some installations) with more
rounds and a bigger salt. Then others took over to do MD5 hashes
(taken up by Linux fairly quickly), and others did a hash scheme built
on the Blowfish block ciper (bcrypt, which is what you were looking at).
Most modern unix systems today support all three of these variants
(DES based hash, MD5, Blowfish). Some linux systems have a system
supporting SHA1 hashes now as well that isn't as widely used on others.
>So my question is "Why have systems moved from crypting passwords to
>storing a hash?". I dont understand why this should be if it makes
>them vunerable to dictionary attacks. Can someone explain please?
Hash systems become vulnerable to dictionary attacks because CPUs get
faster, and people can harness more of them together to run through
things faster and faster. The counter-attack is to make the hash
functions bigger, run through more loops, and provide more keying material.
Its all a trade off. Somebody doesn't want to wait 30 seconds for
login to commence because the system has to sit and hash their
password for that time. But 10 years ago, what took 30 seconds of CPU time
goes by in a fraction of a second now.
>If one wants a better crypting algorithm than the modified DES there
>are loads to choose from. Triple-DES seems pretty good, and of course
>there is AES. Why aren't login passwords stored using these
Passwords aren't stored encrypted on most systems. Unfortunatly this
is not true for basic web apps. :( Encrypted items need a key to
unlock them. In automated systems like login daemons, having a master
unlock key would be bad in the case of a system compromise.