[Ffmpeg-devel] SVN challenge response authentication weaknesses

Rich Felker dalias
Mon May 29 05:07:32 CEST 2006

On Sun, May 28, 2006 at 11:54:47PM +0300, Uoti Urpala wrote:
> On Sun, 2006-05-28 at 23:34 +0300, Ivan Kalvachev wrote:
> > CRAM-MD5 is 9 years old technique. Actually it doesn't matter how
> > strong your password is. The MD5 could be cracked in reasonable time,
> > as MD5 bruteforcers and processor power are quite common these days.
> MD5 weaknesses are not really relevant for this use. I don't think there
> is an attack better than bruteforcing the password (which can be a
> practical attack against CRAM-MD5 though if the passwords are short
> enough to be remembered/typed by humans as you can do it offline after
> capturing some traffic).

This is correct; the known MD5 weaknesses have no impact on the use of
MD5 as a password hash whatsoever. However it certainly is feasible to
brute-force with enough machines and enough time.


More information about the ffmpeg-devel mailing list