From owner-freebsd-security@FreeBSD.ORG  Fri Jun  8 12:51:57 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3B8C9106566B
	for <freebsd-security@freebsd.org>;
	Fri,  8 Jun 2012 12:51:57 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id F2C468FC19
	for <freebsd-security@freebsd.org>;
	Fri,  8 Jun 2012 12:51:56 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 13B786D5A
	for <freebsd-security@freebsd.org>;
	Fri,  8 Jun 2012 12:51:56 +0000 (UTC)
Received: by ds4.des.no (Postfix, from userid 1001)
	id D3E339C18; Fri,  8 Jun 2012 14:51:55 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: freebsd-security@freebsd.org
Date: Fri, 08 Jun 2012 14:51:55 +0200
Message-ID: <86r4tqotjo.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Default password hash
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 12:51:57 -0000

We still have MD5 as our default password hash, even though known-hash
attacks against MD5 are relatively easy these days.  We've supported
SHA256 and SHA512 for many years now, so how about making SHA512 the
default instead of MD5, like on most Linux distributions?

Index: etc/login.conf
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- etc/login.conf      (revision 236616)
+++ etc/login.conf      (working copy)
@@ -23,7 +23,7 @@
 # AND SEMANTICS'' section of getcap(3) for more escape sequences).

 default:\
-       :passwd_format=3Dmd5:\
+       :passwd_format=3Dsha512:\
        :copyright=3D/etc/COPYRIGHT:\
        :welcome=3D/etc/motd:\
        :setenv=3DMAIL=3D/var/mail/$,BLOCKSIZE=3DK,FTP_PASSIVE_MODE=3DYES:\

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no