From owner-freebsd-security@FreeBSD.ORG Sun Jul 7 20:17:09 2013 Return-Path: Delivered-To: FreeBSD-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DCA69816 for ; Sun, 7 Jul 2013 20:17:09 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from smtp9.server.rpi.edu (smtp9.server.rpi.edu [128.113.2.229]) by mx1.freebsd.org (Postfix) with ESMTP id 8A39E135E for ; Sun, 7 Jul 2013 20:17:09 +0000 (UTC) Received: from gilead.netel.rpi.edu (gilead.netel.rpi.edu [128.113.124.121]) by smtp9.server.rpi.edu (8.14.3/8.14.3/Debian-9.4) with ESMTP id r67K9CHt008245; Sun, 7 Jul 2013 16:09:12 -0400 Message-ID: <51D9CAE8.1080902@FreeBSD.org> Date: Sun, 07 Jul 2013 16:09:12 -0400 From: Garance A Drosehn User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4 MIME-Version: 1.0 To: nanoman@nanoman.ca Subject: Re: Better Password Hashes References: <20130707173622.GA21102@nanocomputer.nanoman.ca> In-Reply-To: <20130707173622.GA21102@nanocomputer.nanoman.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: local, @@RPTN) X-Spam-Score: 3.00 (***) [Hold at 10.10] SPF(softfail:3) X-CanIt-Incident-Id: 02JVw9cjt X-CanIt-Geo: ip=128.113.124.121; country=US; region=NY; city=Troy; postalcode=12180; latitude=42.7495; longitude=-73.5951; metrocode=532; areacode=518; http://maps.google.com/maps?q=42.7495,-73.5951&z=6 X-CanItPRO-Stream: local X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.229 Cc: FreeBSD-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jul 2013 20:17:09 -0000 On 7/7/13 1:36 PM, A.J. Kehoe IV (Nanoman) wrote: > I commissioned Derek to come up with a solution by either updating > Steven's patch or by devising a new method. To paraphrase Derek's comments: > > -----BEGIN PARAPHRASIS----- > I did some research into what other *BSDs are doing. OpenBSD and NetBSD > use the algorithm name, a comma, and then the number of rounds: > > http://www.openbsd.org/cgi-bin/man.cgi?query=login.conf&sektion=5 > > localcipher=blowfish,6 > > http://netbsd.gw.com/cgi-bin/man-cgi?passwd.conf+5+NetBSD-current > > localcipher=blowfish,6 > > To me, this isn't a good way to do it because we'd need special > rules to parse this extra field out of the previously unstructured > data. This parsing would be algorithm dependant. To comment only on this point, I do not think it is a significant issue. If OpenBSD and NetBSD are already doing this, then whatever parsing issues are already being addressed by users on those OS's. I think there is a significant advantage in using something that they are already using. Now, if they say "Wow, was this a bad idea!", then obviously I wouldn't want to add it. But if their security is better with this feature, and if *they* don't have major regrets with using it, then I think we should consider it. I'd certainly want to consider other ideas too. But I don't think we should cross this idea off the list just because it would be too much extra effort *if* we were the only OS which used it. I run both FreeBSD and OpenBSD systems, and for people like me it will be more effort if different BSD's use incompatible methods to achieve better password security. You won't be saving me any effort, you'll only be adding to the effort I already have. [admittedly that isn't much effort. :) ] -- Garance Alistair Drosehn = drosih@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA