Date: Sun, 10 Jun 2012 17:53:51 +0300 From: Gleb Kurtsou <gleb.kurtsou@gmail.com> To: "Simon L. B. Nielsen" <simon@FreeBSD.org> Cc: Dag-Erling =?utf-8?B?U23DuHJncmF2?= <des@des.no>, freebsd-security@freebsd.org Subject: Re: Default password hash Message-ID: <20120610145351.GA1098@reks> In-Reply-To: <6E26E03B-8D1D-44D3-B94E-0552BE5CA894@FreeBSD.org> References: <86r4tqotjo.fsf@ds4.des.no> <6E26E03B-8D1D-44D3-B94E-0552BE5CA894@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On (10/06/2012 11:02), Simon L. B. Nielsen wrote: > > On 8 Jun 2012, at 13:51, Dag-Erling Smørgrav wrote: > > > We still have MD5 as our default password hash, even though known-hash > > attacks against MD5 are relatively easy these days. We've supported > > SHA256 and SHA512 for many years now, so how about making SHA512 the > > default instead of MD5, like on most Linux distributions? > > Has anyone looked at how long the SHA512 password hashing actually takes on modern computers? > > The "real" solution for people who care significantly about this seems something like the algorithm pjd implemented (I think he did it at least) for GELI, where the number of rounds is variable and calculated so it takes X/0.X seconds on the specific hardware used. That's of course a lot more complicated, and I'm not sure if it would work with the crypt() API. Do you mean pkcs5v2_calculate from geli? It seems to have a drawback that results produced depend on actual CPU load. % ./pkcs5v-test [*] 541491 539568 542352 540376 388285 -- start several instances of pkcs5v-test in parallel 303071 284793 281110 It would be awesome to provide user with options to configure minimal and maximal iteration count and randomly choose iteration count within the range for each new password. Such trivial change should considerably complicate mass password bruteforce cracking. Variable number of rounds for a password would also require changing crypt() interface. > Also, does anyone know if our SHA512 is compatible with the format used by Linux, other BSD's etc? It's supposed to be compatible with Linux. DragonFly invented something on their own with a nasty bug in it. They could have changed to "standard" crypt on top of sha-2 after bug was discovered. http://www.openwall.com/lists/oss-security/2012/01/16/2 Why does nobody mention scrypt? It looks very attractive in longer perspective. Thanks, Gleb. * pkcs5v-test.c: #include <crypto/pkcs5v2/pkcs5v2.h> int main(int argc, char **argv) { int i, usec; for (i = 0; i < 10; i++) { usec = pkcs5v2_calculate(2000000, 512 / 8, 4); printf("%d\n", usec); } return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120610145351.GA1098>