Date: Fri, 17 May 2002 18:05:37 +0200 From: =?iso-8859-1?Q?Erik_Paulsen_Sk=E5lerud?= <erik@pentadon.com> To: =?iso-8859-1?Q?'Erik_Paulsen_Sk=E5lerud'?= <erik@pentadon.com>, "'Paul Herman'" <pherman@frenchfries.net>, "'Matthew Hunt'" <mph@astro.caltech.edu> Cc: "'Jesper Wallin'" <z3l3zt@phucking.kicks-ass.org>, <pulz@pulz.no>, <security@FreeBSD.ORG> Subject: RE: How secure is a password and how many characters does it allow? Message-ID: <000201c1fdbc$b2b4b1f0$cea8a1d5@erik> In-Reply-To: <006101c1fdba$4b4bfca0$cea8a1d5@erik>
next in thread | previous in thread | raw e-mail | index | archive | help
I found out. Just change one line in /etc/auth.conf
Oh well :)
Erik.
-----Original Message-----
From: owner-freebsd-security@FreeBSD.ORG
[mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Erik Paulsen
Sk=E5lerud
Sent: Friday, May 17, 2002 5:48 PM
To: 'Paul Herman'; 'Matthew Hunt'
Cc: 'Jesper Wallin'; pulz@pulz.no; security@FreeBSD.ORG
Subject: RE: How secure is a password and how many characters does it
allow?
You say that adduser uses DES, while the system defaults to MD5. How do
you add users then? Using pw useradd etc?
Erik Paulsen
-----Original Message-----
From: owner-freebsd-security@FreeBSD.ORG
[mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Paul Herman
Sent: Friday, May 17, 2002 5:03 AM
To: Matthew Hunt
Cc: Jesper Wallin; pulz@pulz.no; security@FreeBSD.ORG
Subject: Re: How secure is a password and how many characters does it
allow?
On Thu, 16 May 2002, Matthew Hunt wrote:
> On Fri, May 17, 2002 at 12:22:40AM +0200, Jesper Wallin wrote:
>
> > How will that effect my security? Isn't it more secure to use 128
> > characters instead of 8? Sounds like, if the security was the same=20
> > the blowfish would be default or something similar.. What do You=20
> > recommend?
>
> DES is the traditional algorithm, and is probably the default for
> interoperability with old software and NIS. I've used MD5 for years=20
> with no trouble for the longer password support. If you don't run=20
> NIS, then I don't think there's any reason to stick with DES.
OK, here's a quick rundown, some of which has been stated in this thread
already.
Hash Max significant password characters
------------------------------------------
DES 8
MD5 >512K (only tested up to 512K)
Blowfish 72
MD5 *is* the default in FreeBSD (see /etc/login.conf) unless you use
adduser(8) perl script, which still generates the older DES password
hashes.
Also, it was stated that the Blowfish hash is faster. The Blowfish
password hash is, in fact, slower. Quick testing shows that the default
Blowfish seems to be roughly 50% slower than MD5. This is a Good Thing
if you want to protect against brute force guessers.
Not only that, the algorithm scales better with time, because you can
set the number of iterations for the hash within the salt itself. The
default is hardcoded for now to be 2^4=3D16 in
/usr/src/secure/lib/libcrypt/crypt-blofish.c:crypt_blowfish(),
but you can change this "on the fly" and put it in your own
/etc/master.passwd by providing the salt yourself:
bash$ perl-e 'print crypt("secret", "\$2a\$04\$salt") '; echo
$2a$04$salt............kC2SI.F9h7C15VchgS17zSObA10b/m9d6c.xa
bash$ perl-e 'print crypt("secret", "\$2a\$06\$salt") '; echo
$2a$06$salt............kC2SI.pIUU5dNGIJMpP6Fe73WiLDWgq9hZNgO
bash$ perl-e 'print crypt("secret", "\$2a\$08\$salt") '; echo
$2a$08$salt............kC2SI.QSKa17W8d4Tf9v/Hxo4DeCxL8Amj7cm
Lastly, all can be used in NIS, provided all OSes can understand the
hash (which is probably what Matt meant.) In fact, I've used MD5 in NIS
for years now, with mixed Linux and FreeBSD systems. Only recently has
RedHat modified thier MD5 hash algorithm to include a wider range
characters. :-(
Hope that clears things up,
-Paul.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000201c1fdbc$b2b4b1f0$cea8a1d5>