From owner-freebsd-security@freebsd.org Wed May 23 21:40:32 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90B82EE6DFA for ; Wed, 23 May 2018 21:40:32 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3A736804CF for ; Wed, 23 May 2018 21:40:31 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 82F4721EDD for ; Wed, 23 May 2018 17:40:31 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute3.internal (MEProxy); Wed, 23 May 2018 17:40:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=jyTSa2pj+/aixrpq92fDtggqip6xw Fa4MArA2vllpNc=; b=TIlsvLjPFaBPjlKUT6wQ5AetDLmjmDLiN95VbhGnNrLJW VjNQi8sVkPffPjAbElCf5pjmR2UUoHGDa5pjMHS241RbBd/YI+fkcNy2wTAB2mN7 7TOgHD8WdE2CgqvNMxNogQcHZQ+0K1K07m1hiupt6ezTzdt+Wu69jhr0BmbZKFmX u62aFh+NX6rYpFjgcIPVwc2l3K2VMXC0DNHFny+BkbdUfccAm7jOOsG12arZdJWw jwCRX/ovxPrulCc2UKdAfgnTOSfIH3wGZaJWbC2jnyv8bLC6dnZgaUIIERTIbdnJ fA3A0auCCAGIrMsTpk5B8Kd9zNSdMFoUMBcGXY/4g== X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id 29E1EBA781; Wed, 23 May 2018 17:40:31 -0400 (EDT) Message-Id: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-a224ff37 Date: Wed, 23 May 2018 16:40:31 -0500 Subject: Default password hash, redux X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2018 21:40:32 -0000 Around 2012[1] we made the brave switch from md5crypt to sha512. Some people were asking for bcrypt to be default, and others were hoping we would see pbkdf2 support. We went with compatible. Additionally, making password hashing more In light of this new article[2] I would like to rehash (pun intended) this conversation and also mention a bug report[3] we've been sitting on in some form for 12 years[4] with usable code that would make working with password hashing algorithms easier and the rounds configurable by the admin. I'd also like to see us to pull in scrypt if cperciva doesn't have any objections. It's good to have options. PS: Why does "compatibility" matter for a default algorithm? Having a default different than Linux or Solaris isn't a bad thing as long as we implement the industry's common hashes which would permit any management tools twiddling the master.passwd manually to still be able to insert the password hashes in a common format... [1] https://lists.freebsd.org/pipermail/freebsd-security/2012-June/006271.html [2] https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/ [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182518 [4] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=75934 is the original report about the issue -- Mark Felder ports-secteam & portmgr member feld@FreeBSD.org From owner-freebsd-security@freebsd.org Wed May 23 21:50:17 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EBBA4EE8B3B for ; Wed, 23 May 2018 21:50:16 +0000 (UTC) (envelope-from yonas@fizk.net) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6ACB280D48 for ; Wed, 23 May 2018 21:50:16 +0000 (UTC) (envelope-from yonas@fizk.net) Received: by mail-wm0-x236.google.com with SMTP id q4-v6so4876540wmq.1 for ; Wed, 23 May 2018 14:50:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fizk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VDQXH8yvYcTyetUdZA1GIbv6FCbhaGHRqVd95sxYYUs=; b=BqXRHgJr9yMDnGjxrb+3lchh7WMNcp3DqivONohykWLqC8gukLATGL3KV2O8UPFYe4 1T4NOU8Qr27PNxur4HKa1HvG8cPBlEnz1AMQhmMijSYGhG4Z6lCunmrZFcfxkbprtEOs wbjjcmCbKPXs7r//gVjEzIO0ZuoMQVLKbpyZA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VDQXH8yvYcTyetUdZA1GIbv6FCbhaGHRqVd95sxYYUs=; b=IgaK2y0pHJCxPafUeQQSPSrqyH0082Ny6pnMVL26LfD5jThsyjINxCPWw5Od4zKXs7 Jl3OatLxxJvfe3gnqoyF2S07LUdwUmygWODqD8jJDuhLSk8F5FfgjN94iPiwrIZPAC5v 95TQanHO/mp+O9YLwwTbRGbZZT5G7zje7omDH53mfVBA3WF0MahIUrrQJPGlx5FaLHgM Jjx88lHYSc/Oj94tKqi0MygkzMmzGt8UGYNHC1VSnxYMsktqmD9vPDw10kUHeS3NiqNT yRbi47VqWFXP2iSIOvb0dxPVdaRpqOTKAkbyYYc+0jnXyuYb1lbWn+QihZnOCW+/5dv6 4OvA== X-Gm-Message-State: ALKqPwdyDfRxAeFR/cdMInIxbe6kDpalee0wNxJ2kME95ynN4q3C9/AA GXdChpkwGFN2cs3C78vBZw2srb012LvRlUkMXFbzOA== X-Google-Smtp-Source: AB8JxZpAAUgYVoGuhYJOiNFiXKnxtAwBh0Af94Nz2d6gCnu4aF0EUspEWD/CDW6V7rqkNB6mcLXkwFAyWb+pOcgQo9Y= X-Received: by 2002:a1c:aa55:: with SMTP id t82-v6mr5451433wme.78.1527112215407; Wed, 23 May 2018 14:50:15 -0700 (PDT) MIME-Version: 1.0 References: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> In-Reply-To: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> From: Yonas Yanfa Date: Wed, 23 May 2018 17:50:04 -0400 Message-ID: Subject: Re: Default password hash, redux To: Mark Felder Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2018 21:50:17 -0000 I recommend adding support for Argon2. https://en.wikipedia.org/wiki/Argon2 On Wed, May 23, 2018, 5:42 PM Mark Felder, wrote: > Around 2012[1] we made the brave switch from md5crypt to sha512. Some > people were asking for bcrypt to be default, and others were hoping we > would see pbkdf2 support. We went with compatible. Additionally, making > password hashing more > > In light of this new article[2] I would like to rehash (pun intended) this > conversation and also mention a bug report[3] we've been sitting on in some > form for 12 years[4] with usable code that would make working with password > hashing algorithms easier and the rounds configurable by the admin. > > I'd also like to see us to pull in scrypt if cperciva doesn't have any > objections. It's good to have options. > > PS: Why does "compatibility" matter for a default algorithm? Having a > default different than Linux or Solaris isn't a bad thing as long as we > implement the industry's common hashes which would permit any management > tools twiddling the master.passwd manually to still be able to insert the > password hashes in a common format... > > [1] > https://lists.freebsd.org/pipermail/freebsd-security/2012-June/006271.html > [2] > https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/ > [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182518 > [4] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=75934 is the > original report about the issue > > -- > Mark Felder > ports-secteam & portmgr member > feld@FreeBSD.org > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Wed May 23 21:50:40 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 45B3DEE8B92 for ; Wed, 23 May 2018 21:50:40 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E252080D7E for ; Wed, 23 May 2018 21:50:39 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 952F421ADE for ; Wed, 23 May 2018 17:50:39 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute3.internal (MEProxy); Wed, 23 May 2018 17:50:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=C1Cu5j 7SpenS9S30KRJ1N5aEXqRfi41RnYrECVztAcc=; b=F+VIH6ILu0HENU1W7KwNk6 oVx63/GV4aOOz0qVYcEGr8vF2dh4RZLKjv6nXai1Y7g27pbznPhNY6FvxGuEkMsr WEJ7y74HijqWMF6JrTVWCZxIQromtShM5n2Mvn7MM6Dio9IdDfEExhGoUmKq5PTv 0jODK9G+rgSffcIRb2eWzj0tBb62XGb4A7h1L0/rcIL6oSAh/PZu0nvMVp8bJApw aOEUFRpuHnLWTeYCpy+m+m26tjxAnwefcnuF8AksYxB9UUfC4glWyNRHZvuU9THZ 59N2lApelSxz6x0vr07OwtluvR659fVn0crfR6TVSiflgMhEC/p238mMaVHBJVFg == X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id 3E226BA780; Wed, 23 May 2018 17:50:39 -0400 (EDT) Message-Id: <1527112239.2299907.1382666480.10A4B020@webmail.messagingengine.com> From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-a224ff37 References: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> In-Reply-To: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> Subject: Re: Default password hash, redux Date: Wed, 23 May 2018 16:50:39 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2018 21:50:40 -0000 On Wed, May 23, 2018, at 16:40, Mark Felder wrote: > Additionally, making password hashing more > Mailman came to the door and my barking dog interrupted my train of thought :-) I believe what I was going for was in reference to the bugzilla report, so I'll try again: Additionally, making password hashing more configurable/pluggable gives us more room to experiment with implementing new hashes and makes it easier to solve these problems. It appears that the patch languishing in bugzilla would help alleviate this issue. -- Mark Felder ports-secteam & portmgr member feld@FreeBSD.org From owner-freebsd-security@freebsd.org Thu May 24 20:37:02 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77FEBEFD795 for ; Thu, 24 May 2018 20:37:02 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 12A3782BF0; Thu, 24 May 2018 20:37:01 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074425-287ff70000001eca-fc-5b07213ad5fe Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 4C.4E.07882.A31270B5; Thu, 24 May 2018 16:31:55 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w4OKVrSX020530; Thu, 24 May 2018 16:31:54 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w4OKVoA9003038 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 24 May 2018 16:31:52 -0400 Date: Thu, 24 May 2018 15:31:50 -0500 From: Benjamin Kaduk To: freebsd-security@freebsd.org Subject: Re: Default password hash, redux Message-ID: <20180524203149.GO32807@kduck.kaduk.org> References: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKIsWRmVeSWpSXmKPExsUixCmqrGutyB5tsGAps8WuvoVsFj2bnrA5 MHnM+DSfJYAxissmJTUnsyy1SN8ugStj/cnTLAWXGCu23H/E1MC4grGLkYNDQsBE4vZezy5G Lg4hgcVMEtP7zzJDOBsZJXY3vWWCcK4yScxa0s0E0sEioCrR/7O+i5GTg01ARaKh+zIziC0i oCDR9ekHO4jNLKAkcW/fCTYQW1hAU+LMpAlgNi/QstOXW9kgZk5nlDg5axUjREJQ4uTMJywQ zVoSN/69BNvFLCAtsfwfB0iYUyBQ4mXLM7ASUQFlib19h9gnMArMQtI9C0n3LITuBYzMqxhl U3KrdHMTM3OKU5N1i5MT8/JSi3Qt9HIzS/RSU0o3MYJCk91FdQfjnL9ehxgFOBiVeHg3HGCL FmJNLCuuzD3EKMnBpCTKu/YfUIgvKT+lMiOxOCO+qDQntfgQowQHs5IIb/cvoBxvSmJlVWpR PkxKmoNFSZw3ZxFjtJBAemJJanZqakFqEUxWhoNDSYI3Q4E9WkiwKDU9tSItM6cEIc3EwQky nAdo+GN5oBre4oLE3OLMdIj8KUZFKXFefpBmAZBERmkeXC8odUhk7695xSgO9Iow7y+Qdh5g 2oHrfgU0mAlo8MXlzCCDSxIRUlINjEJ8zDP2TqlstPnX5b6hsVlAxo2pcPKMFte64+pfumfM 2WT4t/LuhFu+P56IlrcuaEzrOM6o+nTbnS0LX/cdiSm3EeTzfb6h9b/qzIv3Eq8XsR17b+5s lcRkuVm0tczMPeRLzlaes6ft/2/gZz6orBKRISK5N2CN0T+/t/5neHwL5uqxP3/ersRSnJFo qMVcVJwIANg71/34AgAA X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2018 20:37:02 -0000 On Wed, May 23, 2018 at 05:50:04PM -0400, Yonas Yanfa wrote: > I recommend adding support for Argon2. > > https://en.wikipedia.org/wiki/Argon2 Yes, Argon2 seems like a no-brainer at this point. -Ben From owner-freebsd-security@freebsd.org Sat May 26 13:55:49 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8D7DF76816 for ; Sat, 26 May 2018 13:55:49 +0000 (UTC) (envelope-from 482254ac@razorfever.net) Received: from pmta11.teksavvy.com (pmta11.teksavvy.com [76.10.157.34]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (Client CN "*.teksavvy.com", Issuer "DigiCert SHA2 High Assurance Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2441170728; Sat, 26 May 2018 13:55:48 +0000 (UTC) (envelope-from 482254ac@razorfever.net) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2ENBAByZglb/0StpUVbGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYINgTdiA3oog3eIY4wOAUQBAQp/CCExAV2VLAULGA0JhDQKAoI?= =?us-ascii?q?PIjgUAQIBAQEBAQECAgJoHAyCaEtcAQEBAQEBIwINZAEBAQMBIhUeMwsOCgICF?= =?us-ascii?q?BICAigRHgYBDAgBAYMeAoFyDQ+mLIIchFiDaIFjBRN2iDmBB4EzDIJdgUEBgU8?= =?us-ascii?q?DAQEXghSCMoJUAphgCAEChWqFEoNZCIdWD4UfiWqHEQyBWCKBPA4IH1xSCIIug?= =?us-ascii?q?h8NC4hZhVojMAELjRmCIwEB?= X-IPAS-Result: =?us-ascii?q?A2ENBAByZglb/0StpUVbGQEBAQEBAQEBAQEBAQcBAQEBAYI?= =?us-ascii?q?NgTdiA3oog3eIY4wOAUQBAQp/CCExAV2VLAULGA0JhDQKAoIPIjgUAQIBAQEBA?= =?us-ascii?q?QECAgJoHAyCaEtcAQEBAQEBIwINZAEBAQMBIhUeMwsOCgICFBICAigRHgYBDAg?= =?us-ascii?q?BAYMeAoFyDQ+mLIIchFiDaIFjBRN2iDmBB4EzDIJdgUEBgU8DAQEXghSCMoJUA?= =?us-ascii?q?phgCAEChWqFEoNZCIdWD4UfiWqHEQyBWCKBPA4IH1xSCIIugh8NC4hZhVojMAE?= =?us-ascii?q?LjRmCIwEB?= X-IronPort-AV: E=Sophos;i="5.49,444,1520913600"; d="scan'208";a="33248045" Received: from 69-165-173-68.dsl.teksavvy.com (HELO mail.razorfever.net) ([69.165.173.68]) by smtp.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 May 2018 09:55:41 -0400 Received: from [127.0.0.1] (mail.razorfever.net [192.168.0.4]) by mail.razorfever.net (8.15.2/8.14.9) with ESMTP id w4QDtem6081215; Sat, 26 May 2018 09:55:41 -0400 (EDT) (envelope-from 482254ac@razorfever.net) X-Authentication-Warning: mail.razorfever.net: Host mail.razorfever.net [192.168.0.4] claimed to be [127.0.0.1] Subject: Re: Default password hash, redux To: Mark Felder , freebsd-security@freebsd.org References: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> From: "Derek (freebsd lists)" <482254ac@razorfever.net> Message-ID: <25466979-05f6-9373-5064-94e866a20896@razorfever.net> Date: Sat, 26 May 2018 09:55:40 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.4 required=5.0 tests=ALL_TRUSTED, FROM_STARTS_WITH_NUMS,RP_MATCHES_RCVD autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.razorfever.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 May 2018 13:55:49 -0000 On 18-05-23 05:40 PM, Mark Felder wrote: > In light of this new article[2] I would like to rehash (pun intended) this conversation and also mention a bug report[3] we've been sitting on in some form for 12 years[4] with usable code that would make working with password hashing algorithms easier and the rounds configurable by the admin. > > [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182518 I'd also like to add relevant reference to the public discussion regarding this patch: https://lists.freebsd.org/pipermail/freebsd-security/2015-February/008175.html (which also links to previous discussion on -current) as some additional context at this time. Derek