Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 18 Jun 2013 00:56:08 +0100
From:      RW <rwmaillists@googlemail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD maximum password length
Message-ID:  <20130618005608.488c72a0@gumby.homeunix.com>
In-Reply-To: <13CA24D6AB415D428143D44749F57D7201F93897@ltcfiswmsgmb21>
References:  <CAPkyVLw=m5-3HX7YC-Zqm=OgTLMhNYq4trBSWso8qEmPzqV38Q@mail.gmail.com> <44li69diyv.fsf@be-well.ilk.org> <CAPkyVLwNAUU_2E0d8Go6OP4m7jqHeHKCWEt5WRhtYcgRBSQ2nQ@mail.gmail.com> <20130617164744.1c4e3d02e57de825d500e309@yahoo.es> <13CA24D6AB415D428143D44749F57D7201F936C4@ltcfiswmsgmb21> <op.wyt2tgk934t2sn@tech304.office.supranet.net> <13CA24D6AB415D428143D44749F57D7201F93897@ltcfiswmsgmb21>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, 17 Jun 2013 17:52:48 +0000
Teske, Devin wrote:

> 
> On Jun 17, 2013, at 10:28 AM, Mark Felder wrote:
> 
> > On Mon, 17 Jun 2013 12:25:54 -0500, Teske, Devin
> > <Devin.Teske@fisglobal.com> wrote:
> > 
> >> The default in FreeBSD is MD5
> > 
> > MD5 is no longer the default.
> > 
> > 
> > http://svnweb.freebsd.org/base?view=revision&revision=238484
> 
> Huzzah!
> 
> 9.1-RELEASE and higher indeed use sha512 as the new default.
> 
> 8.4 still using md5 though (and expected to stay that way).
> 
> Question…
> 
> Is sha512 the highest it goes in our system?

The precise cipher/hash is almost irrelevant. What's important is the
amount of work needed to evaluate a password in a bruteforce dictionary
attack. MD5 is still OK for password hashing, the problem is an
inadequate number of iterations in our particular implementation. A
similar problem exists with blowfish and arguably all of the rest.

Another problem is that all current schemes are inadvertently optimised
for GPU attack since they run in very little memory.

The bottom line is: don't let anyone steal your password file. 



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20130618005608.488c72a0>