Schneier.com: A New Secure Hash Standard

This is good and important news:

The U.S. National Institute of Standards and Technology is having a competition for a new cryptographic hash function. This matters. The phrase "one-way hash function" might sound arcane and geeky, but hash functions are the workhorses of modern cryptography. They provide web security in SSL. They help with key management in e-mail and voice encryption: PGP, Skype, all the others. They help make it harder to guess passwords. They're used in virtual private networks, help provide DNS security and ensure that your automatic software updates are legitimate. They provide all sorts of security functions in your operating system. Every time you do something with security on the internet, a hash function is involved somewhere.

And why is this new competition important?

The hash function you're most likely to use routinely is SHA-1. Invented by the National Security Agency, it's been around since 1995. Recently, though, there have been some pretty impressive cryptanalytic attacks against the algorithm. The best attack is barely on the edge of feasibility, and not effective against all applications of SHA-1. But there's an old saying inside the NSA: "Attacks always get better; they never get worse." It's past time to abandon SHA-1.

That's why! MD5 has been broken and it looks like SHA-1 is going to be broken sometime in the not too distant future so it important to find a new one. This competition will hopefully result in a lot of research in this area and a good new secure hash standard.

Schneier on choosing choosing passwords

Here is an article about choosing good passwords that is worth reading. It contains some quite interesting facts about password guessing. And then there is the ending comment that makes you a bit depressed:

The easiest way to guess a password isn't to guess it at all, but to exploit the inherent insecurity in the underlying operating system.