From owner-freebsd-security@freebsd.org Sat May 26 13:55:49 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8D7DF76816 for ; Sat, 26 May 2018 13:55:49 +0000 (UTC) (envelope-from 482254ac@razorfever.net) Received: from pmta11.teksavvy.com (pmta11.teksavvy.com [76.10.157.34]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (Client CN "*.teksavvy.com", Issuer "DigiCert SHA2 High Assurance Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2441170728; Sat, 26 May 2018 13:55:48 +0000 (UTC) (envelope-from 482254ac@razorfever.net) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2ENBAByZglb/0StpUVbGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYINgTdiA3oog3eIY4wOAUQBAQp/CCExAV2VLAULGA0JhDQKAoI?= =?us-ascii?q?PIjgUAQIBAQEBAQECAgJoHAyCaEtcAQEBAQEBIwINZAEBAQMBIhUeMwsOCgICF?= =?us-ascii?q?BICAigRHgYBDAgBAYMeAoFyDQ+mLIIchFiDaIFjBRN2iDmBB4EzDIJdgUEBgU8?= =?us-ascii?q?DAQEXghSCMoJUAphgCAEChWqFEoNZCIdWD4UfiWqHEQyBWCKBPA4IH1xSCIIug?= =?us-ascii?q?h8NC4hZhVojMAELjRmCIwEB?= X-IPAS-Result: =?us-ascii?q?A2ENBAByZglb/0StpUVbGQEBAQEBAQEBAQEBAQcBAQEBAYI?= =?us-ascii?q?NgTdiA3oog3eIY4wOAUQBAQp/CCExAV2VLAULGA0JhDQKAoIPIjgUAQIBAQEBA?= =?us-ascii?q?QECAgJoHAyCaEtcAQEBAQEBIwINZAEBAQMBIhUeMwsOCgICFBICAigRHgYBDAg?= =?us-ascii?q?BAYMeAoFyDQ+mLIIchFiDaIFjBRN2iDmBB4EzDIJdgUEBgU8DAQEXghSCMoJUA?= =?us-ascii?q?phgCAEChWqFEoNZCIdWD4UfiWqHEQyBWCKBPA4IH1xSCIIugh8NC4hZhVojMAE?= =?us-ascii?q?LjRmCIwEB?= X-IronPort-AV: E=Sophos;i="5.49,444,1520913600"; d="scan'208";a="33248045" Received: from 69-165-173-68.dsl.teksavvy.com (HELO mail.razorfever.net) ([69.165.173.68]) by smtp.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 May 2018 09:55:41 -0400 Received: from [127.0.0.1] (mail.razorfever.net [192.168.0.4]) by mail.razorfever.net (8.15.2/8.14.9) with ESMTP id w4QDtem6081215; Sat, 26 May 2018 09:55:41 -0400 (EDT) (envelope-from 482254ac@razorfever.net) X-Authentication-Warning: mail.razorfever.net: Host mail.razorfever.net [192.168.0.4] claimed to be [127.0.0.1] Subject: Re: Default password hash, redux To: Mark Felder , freebsd-security@freebsd.org References: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> From: "Derek (freebsd lists)" <482254ac@razorfever.net> Message-ID: <25466979-05f6-9373-5064-94e866a20896@razorfever.net> Date: Sat, 26 May 2018 09:55:40 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.4 required=5.0 tests=ALL_TRUSTED, FROM_STARTS_WITH_NUMS,RP_MATCHES_RCVD autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.razorfever.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 May 2018 13:55:49 -0000 On 18-05-23 05:40 PM, Mark Felder wrote: > In light of this new article[2] I would like to rehash (pun intended) this conversation and also mention a bug report[3] we've been sitting on in some form for 12 years[4] with usable code that would make working with password hashing algorithms easier and the rounds configurable by the admin. > > [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182518 I'd also like to add relevant reference to the public discussion regarding this patch: https://lists.freebsd.org/pipermail/freebsd-security/2015-February/008175.html (which also links to previous discussion on -current) as some additional context at this time. Derek