[Novalug] linux update security?

Nino Pereira pereira@speakeasy.net
Mon Jan 14 22:09:38 EST 2008


Clayton,

interesting stuff, this security business. But, please note
that I only reacted to the question: how large is 2^128?,
and, how do you get a feel for how much this is? So, instead
of doing it exactly, as Don did, I just picked a number that's
reasonably close and then ran with it.

Your points, and the ones in the web sites you mention, are
well-taken: there is indeed a lot of activity in trying to
factor large numbers, in designing random number generators,
and related things. Still, it seems to me that MD5 is fine
for run of the mill checking of whether files down-loaded
properly, which is what it's used for a lot.

Perfect security, of course doesn't exist, and the weakest
link is not in technology but in humans. As an example,
I think the worst practice is to force people to have
complicated passwords that they can not possibly remember
(my most recent one demanded 2 CAPITALS, 2 lower case, 2 numbers,
and 2 weird symbols (&,#, etc), with 10 in total).
So, I wrote it down, and I'll keep it at the machine where I need it.
Is it secure? no, not at all.

Much more secure are my standard passwords. I have a few,
each for its own purpose. I don't write these down, and they
are secure enough: no one will guess the first two
(they are nonsense-words, were made back in the early '80s,
by a program that made good passwords), or the last one (which
does have some of the characteristics mentioned, but not all).

Clayton Graham wrote:

> Paper explaining a fast collision attack 
> <http://eprint.iacr.org/2004/199.pdf>
> wikipedia entry for MD5 <http://en.wikipedia.org/wiki/MD5>
> Project RainbowCrack - software implementing a fast attack against MD5 
> et. al. <http://www.antsight.com/zsl/rainbowcrack/>



More information about the Novalug mailing list