[CentOS] what percent of time are there unpatched exploits against default config?
Leonard den Ottolander
leonard at den.ottolander.nl
Sat Dec 31 17:26:34 UTC 2011
Hello Johnny,
On Sat, 2011-12-31 at 08:13 -0600, Johnny Hughes wrote:
> http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
>
> http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/
These articles fail to clarify even the most basic of assumptions they
make. I can only guess the numbers relate to the cracking of MD5 hashes
(salted or unsalted?) and access to the /etc/shadow file.
On CentOS-6 password hashes are no longer stored as MD5, but as SHA-512
hashes. Apparently the SHA hashing algorithms as used by Red Hat have a
configurable iterator count much like bcrypt
( http://en.wikipedia.org/wiki/Crypt_%28Unix%29 "SHA2-based scheme").
Also, the only way for an attacker to have access to /etc/shadow is to
already have root access to your system in which case you are already
faqed.
Imo the weakness of MD5 hashes is more of a concern for web applications
where an attacker might gain access to (part of) your database via f.e.
SQL injection. This is why a proper web application will use a bcrypt
hash to store passwords. As the amount of iterations bcrypt uses is
configurable the algorithm can scale with increasing processing power.
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
More information about the CentOS
mailing list