Date: Thu, 28 Jan 2010 17:44:19 -0500 (EST) From: Mike Andrews <mandrews@bit0.com> To: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore Message-ID: <alpine.BSF.2.00.1001281738110.43056@beast.int.bit0.com> In-Reply-To: <4B620DAC.4080608@bit0.com> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B620DAC.4080608@bit0.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 28 Jan 2010, Mike Andrews wrote: > On 1/28/10 3:18 PM, Chris Palmer wrote: >> For backwards compatibility, which do people prefer: Creating a new $N$ >> prefix every time we re-tune the algorithm, or using a new notation to say >> how many times this password was hashed? For example: $1.1000$, $1.100000$, >> et c.? >> >> I prefer the latter. It can work with Blowfish, too, and anything else >> people come up with in the future. > > The Blowfish one already has that feature. > > A long time ago (like FreeBSD 6.something, maybe earlier) I changed all my > /etc/login.conf files to set "passwd_format=blf" and all my password hashes > are in the format "$2a$04$salthash" -- with the "04" being the (default) > number of rounds of Blowfish to run. I have some users where it's set to 11 > rounds, and as you'd expect, it puts a pretty big hurt on the ability of > things like John The Ripper to attack the hashes. Actaully that's not the number of rounds, it's the log2() of the number of rounds. So 04 is really 2^4=16 rounds (the minimum), 11 is 2^11=2048 rounds, and the maximum is 31 -- which as the source code states, oughta scale pretty well for a while. :) See /usr/src/secure/lib/libcrypt/crypt-blowfish.c There is probably a login.conf knob to raise the default number of rounds beyond 2^4. But the point remains: look at what FreeBSD already has. :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1001281738110.43056>