From owner-freebsd-questions@FreeBSD.ORG Mon Jun 17 23:56:13 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 15246CE2 for ; Mon, 17 Jun 2013 23:56:13 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ea0-x22f.google.com (mail-ea0-x22f.google.com [IPv6:2a00:1450:4013:c01::22f]) by mx1.freebsd.org (Postfix) with ESMTP id 9ED5B1884 for ; Mon, 17 Jun 2013 23:56:12 +0000 (UTC) Received: by mail-ea0-f175.google.com with SMTP id z7so2136122eaf.6 for ; Mon, 17 Jun 2013 16:56:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=uFU1I2GNPFx9ONAbjIyv6J8weVHz+HzRipVycCp4ECU=; b=TwUF4aSCZKU/F/nHmIJzdQo2ZpBSR+Nu1eTxmQqily2m+Nmm5hJ75yDhGYvELMgP6e G4HQVI/L1BoP22aVuBoWaPX5FUCt1+ZHSkzSj0Zcar0+3AGJzE0BmZi7YyLn2AF7xBzb zhNwSh5A2q+vx5nb3S5rDSAsSE2OKJxZy1xQLXHMm+hWzTUkm9HiGY4YNA4LVYByovqT 3mRUoQzTjZ15Dgsg4NhjWKDwTlxijIljHo4s99H0FXqduzpsmnc1ThbZ53TeiFqZZlJK xDZI4JxD3IxhFCs/MSvdF2pfgKDokb0Dt/+4DLuSIsUaFxwy0bEtazmUHw4mDVVnFyfs vulQ== X-Received: by 10.14.93.129 with SMTP id l1mr7811500eef.10.1371513371653; Mon, 17 Jun 2013 16:56:11 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPSA id l42sm16686018eeo.14.2013.06.17.16.56.10 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Mon, 17 Jun 2013 16:56:10 -0700 (PDT) Date: Tue, 18 Jun 2013 00:56:08 +0100 From: RW To: freebsd-questions@freebsd.org Subject: Re: FreeBSD maximum password length Message-ID: <20130618005608.488c72a0@gumby.homeunix.com> In-Reply-To: <13CA24D6AB415D428143D44749F57D7201F93897@ltcfiswmsgmb21> References: <44li69diyv.fsf@be-well.ilk.org> <20130617164744.1c4e3d02e57de825d500e309@yahoo.es> <13CA24D6AB415D428143D44749F57D7201F936C4@ltcfiswmsgmb21> <13CA24D6AB415D428143D44749F57D7201F93897@ltcfiswmsgmb21> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.17; amd64-portbld-freebsd10.0) Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jun 2013 23:56:13 -0000 On Mon, 17 Jun 2013 17:52:48 +0000 Teske, Devin wrote: > > On Jun 17, 2013, at 10:28 AM, Mark Felder wrote: > > > On Mon, 17 Jun 2013 12:25:54 -0500, Teske, Devin > > wrote: > > > >> The default in FreeBSD is MD5 > > > > MD5 is no longer the default. > > > > > > http://svnweb.freebsd.org/base?view=revision&revision=238484 > > Huzzah! > > 9.1-RELEASE and higher indeed use sha512 as the new default. > > 8.4 still using md5 though (and expected to stay that way). > > Question… > > Is sha512 the highest it goes in our system? The precise cipher/hash is almost irrelevant. What's important is the amount of work needed to evaluate a password in a bruteforce dictionary attack. MD5 is still OK for password hashing, the problem is an inadequate number of iterations in our particular implementation. A similar problem exists with blowfish and arguably all of the rest. Another problem is that all current schemes are inadvertently optimised for GPU attack since they run in very little memory. The bottom line is: don't let anyone steal your password file.