Date: Tue, 4 Feb 2014 01:00:41 -0700 (MST) From: Mike Brown <mike@skew.org> To: Tom Rhodes <trhodes@FreeBSD.org> Cc: doc@FreeBSD.org Subject: Re: Patch (WIP): New security front matter; new shell redirection section Message-ID: <201402040800.s1480fXU006990@chilled.skew.org> In-Reply-To: <20140202175121.16a0c264.trhodes@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Rhodes wrote: > + <para>Passwords are a necessary evil of the past. In the cases > + they must be used, not only should the password be extremely > + complex, but also use a powerful hash mechanism to protect it. > + At the time of this writing, &os; supports > + <acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish, > + <acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in > + the <function>crypt()</function> library. The default is > + <acronym>SHA</acronym>512 and should not be changed backwards; > + however, some users like to use the Blowfish option. Each > + mechanism, aside from <acronym>DES</acronym>, has a unique > + beginning to designate the hash mechanism assigned. For the > + <acronym>MD</acronym>5 mechanism, the symbol is a > + <quote>$</quote> sign. For the <acronym>SHA</acronym>256 or > + <acronym>SHA</acronym>512, the symbol is <quote>$6$</quote> > + and Blowfish uses <quote>$2a$</quote>. Any weaker passwords > + should be re-hashed by asking the user to run &man.passwd.1; > + during their next login.</para> I get confused by this. "Any weaker passwords" immediately follows discussion of hash mechanisms, suggesting you actually mean to say "Any passwords protected by weaker hash mechanisms" ... although maybe you were done talking about hash mechanisms and were actually now back to talking about password complexity? Please clarify. Either way, how do I inspect /etc/spwd.db to find out who has weak/not-complex-enough passwords, and what hash mechanism is in use for each user, so I know who needs to run passwd(1)? If this info is already in the chapter, forgive me; I am just going by what's in the diff. Anyway, overall it looks great.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402040800.s1480fXU006990>