User: Password:
|
|
Subscribe / Log in / New account

Responsible disclosure in open source: The crypt() vulnerability

Responsible disclosure in open source: The crypt() vulnerability

Posted Jun 9, 2012 7:50 UTC (Sat) by bsdphk (guest, #85042)
In reply to: Responsible disclosure in open source: The crypt() vulnerability by tialaramex
Parent article: Responsible disclosure in open source: The crypt() vulnerability

With respect to "exaggerated numbers": Yes, for reasons of confidentiality I cannot reveal all I know, but do read the provided reference about GPUs, and then ask yourself "I wonder what speed an FPGA runs then...?"

With respect to mistimed, no, it was very carefully timed and I hit it very close to perfect.

To get a message like this out to all the people who need to hear it is very difficult.

I don't have a Vogon Tanoy where I can press a button and go "People of Earth, Your attention please..."

Piggybacking on the LinkedIn attention-wave, meant that news-providers had "password" in their short term memory and my message got very efficiently relayed.

With respect to the guidance I give: I you think that is a bad idea, I suggest you write an easy to use, liberally licensed password scrambler which actually solves the problem for a decade or two.

The present wave can be surfed for about a week more...

Thanks for using my code

Poul-Henning


(Log in to post comments)

Responsible disclosure in open source: The crypt() vulnerability

Posted Jun 11, 2012 10:31 UTC (Mon) by intgr (subscriber, #39733) [Link]

> With respect to the guidance I give: I you think that is a bad idea, I suggest you write an easy to use, liberally licensed password scrambler which actually solves the problem for a decade or two.

There are tons of free implementations of PBKDF2 and a few of scrypt. Those are the only two that are worth using. Surely you were aware of both? I'm surprised you're even suggesting that we need any new libraries/standards.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds