[CentOS] what percent of time are there unpatched exploits against default config?

Sat Dec 31 17:26:34 UTC 2011
Leonard den Ottolander <leonard at den.ottolander.nl>

Hello Johnny,

On Sat, 2011-12-31 at 08:13 -0600, Johnny Hughes wrote:
> http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
> http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/

These articles fail to clarify even the most basic of assumptions they
make. I can only guess the numbers relate to the cracking of MD5 hashes
(salted or unsalted?) and access to the /etc/shadow file.

On CentOS-6 password hashes are no longer stored as MD5, but as SHA-512
hashes. Apparently the SHA hashing algorithms as used by Red Hat have a
configurable iterator count much like bcrypt
( http://en.wikipedia.org/wiki/Crypt_%28Unix%29 "SHA2-based scheme").

Also, the only way for an attacker to have access to /etc/shadow is to
already have root access to your system in which case you are already

Imo the weakness of MD5 hashes is more of a concern for web applications
where an attacker might gain access to (part of) your database via f.e.
SQL injection. This is why a proper web application will use a bcrypt
hash to store passwords. As the amount of iterations bcrypt uses is
configurable the algorithm can scale with increasing processing power.


mount -t life -o ro /dev/dna /genetic/research