From owner-freebsd-security@FreeBSD.ORG Sun Jun 10 10:02:51 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 256111065673 for ; Sun, 10 Jun 2012 10:02:51 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from emx.nitro.dk (emx.nitro.dk [IPv6:2a01:4f8:120:7384::102]) by mx1.freebsd.org (Postfix) with ESMTP id D631E8FC0C for ; Sun, 10 Jun 2012 10:02:50 +0000 (UTC) Received: from mailscan.leto.nitro.dk (mailscan.leto.nitro.dk [127.0.1.4]) by emx.nitro.dk (Postfix) with ESMTP id 383EB252A80; Sun, 10 Jun 2012 10:02:50 +0000 (UTC) Received: from emx.nitro.dk ([127.0.1.2]) by mailscan.leto.nitro.dk (mailscan.leto.nitro.dk [127.0.1.4]) (amavisd-new, port 10024) with LMTP id u-l8NUlx34_b; Sun, 10 Jun 2012 10:02:48 +0000 (UTC) Received: from [192.168.4.24] (unknown [46.7.100.49]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by emx.nitro.dk (Postfix) with ESMTPSA id 79292252A7E; Sun, 10 Jun 2012 10:02:48 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=iso-8859-1 From: "Simon L. B. Nielsen" In-Reply-To: <86r4tqotjo.fsf@ds4.des.no> Date: Sun, 10 Jun 2012 11:02:50 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <6E26E03B-8D1D-44D3-B94E-0552BE5CA894@FreeBSD.org> References: <86r4tqotjo.fsf@ds4.des.no> To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= X-Mailer: Apple Mail (2.1278) Cc: freebsd-security@freebsd.org Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2012 10:02:51 -0000 On 8 Jun 2012, at 13:51, Dag-Erling Sm=F8rgrav wrote: > We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions? Has anyone looked at how long the SHA512 password hashing actually takes = on modern computers? The "real" solution for people who care significantly about this seems = something like the algorithm pjd implemented (I think he did it at = least) for GELI, where the number of rounds is variable and calculated = so it takes X/0.X seconds on the specific hardware used. That's of = course a lot more complicated, and I'm not sure if it would work with = the crypt() API. Also, does anyone know if our SHA512 is compatible with the format used = by Linux, other BSD's etc? --=20 Simon L. B. Nielsen