Slashdot Mirror

← Back to Stories (view on slashdot.org)

MD5crypt Password Scrambler Is No Longer Considered Safe

Posted by timothy on from the risky-busy-ness dept.

As reported here recently, millions of LinkedIn password hashes have been leaked online. An anonymous reader writes "Now, Poul-Henning Kamp a developer known for work on various projects and the author of the md5crypt password scrambler asks everybody to migrate to a stronger password scrambler without undue delay. From the blog post: 'New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days. The default algorithm for storing password hashes in /etc/shadow is MD5. RHEL / CentOS / FreeBSD user can migrate to SHA-512 hashing algorithms.'" Reader Curseyoukhan was one of several to also point out that dating site eHarmony got the same treatment as LinkedIn. Update: 06/07 20:13 GMT by T : An anonymous reader adds a snippet from Help Net Security, too: "Last.fm has piped up to warn about a leak of their own users' passwords. Users who have logged in to the site were greeted today by a warning asking them to change their password while the site investigates a security problem. Following the offered link to learn more, they landed on another page with another warning."

7 of 212 comments (clear)

  1. Re:In other news by Anonymous Coward · · Score: 5, Funny

    That's why I use rot26. It's twice as strong.

  2. Any 8 character password? by HermDog · · Score: 5, Funny

    Looks like it's time to change my password to "password1".

    --
    JADBP
  3. I have a question: by safetyinnumbers · · Score: 2, Funny

    608b2d50a6521a27c12626cedfea0fc3

    1. Re:I have a question: by Ibiwan · · Score: 2, Funny

      Dude. NOT cool; way too soon.

      --
      -- //no comment
  4. LinkedIN needs security professionals... by tekrat · · Score: 5, Funny

    If only there were a website where they could connect with other security professionals, exchange ideas and maybe even find people to hire....

    --
    If telephones are outlawed, then only outlaws will have telephones.
  5. Dammit! by ThatsNotPudding · · Score: 4, Funny

    rot13 isn't safe either.

    Who told you my password?

  6. Re:Unsalted hashes are worse. by Cito · · Score: 1, Funny

    That's why people should use Pepper instead of Salt, plus Salt is bad for the heart.