Date: Fri, 08 Jun 2012 15:33:41 -0600 From: Brett Glass <brett@lariat.org> To: freebsd-security@freebsd.org Subject: Re: Default password hash Message-ID: <201206082133.PAA26236@lariat.net>
next in thread | raw e-mail | index | archive | help
One thing to consider -- given the nature of the recent attack on LinkedIn -- is to provide a setting that allows one to increase the size of the "salt." The main danger, when a file of hashed passwords is stolen (as was the case with LinkedIn), is that an attacker can use a pre-computed dictionary to break accounts with weak or commonly used passwords. The larger the "salt," the more impractical it becomes to prepare or store such a dictionary. This can matter more than the strength or computational burden of the hashing algorithm. --Brett Glass At 06:51 AM 6/8/2012, Dag-Erling Smørgrav wrote: >We still have MD5 as our default password hash, even though known-hash >attacks against MD5 are relatively easy these days. We've supported >SHA256 and SHA512 for many years now, so how about making SHA512 the >default instead of MD5, like on most Linux distributions? > >Index: etc/login.conf >=================================================================== >--- etc/login.conf (revision 236616) >+++ etc/login.conf (working copy) >@@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ >- :passwd_format=md5:\ >+ :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ > >DES >-- >Dag-Erling Smørgrav - des@des.no >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > >----- >No virus found in this message. >Checked by AVG - www.avg.com >Version: 10.0.1424 / Virus Database: 2433/5055 - Release Date: 06/07/12
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206082133.PAA26236>