From owner-freebsd-security@FreeBSD.ORG Fri Jun 8 21:34:15 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAE5E106564A for ; Fri, 8 Jun 2012 21:34:15 +0000 (UTC) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id A3EA18FC16 for ; Fri, 8 Jun 2012 21:33:52 +0000 (UTC) Received: from WildRover.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2] (may be forged)) by lariat.net (8.9.3/8.9.3) with ESMTP id PAA26236 for ; Fri, 8 Jun 2012 15:33:43 -0600 (MDT) Message-Id: <201206082133.PAA26236@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 08 Jun 2012 15:33:41 -0600 To: freebsd-security@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2012 21:34:16 -0000 One thing to consider -- given the nature of the recent attack on LinkedIn -- is to provide a setting that allows one to increase the size of the "salt." The main danger, when a file of hashed passwords is stolen (as was the case with LinkedIn), is that an attacker can use a pre-computed dictionary to break accounts with weak or commonly used passwords. The larger the "salt," the more impractical it becomes to prepare or store such a dictionary. This can matter more than the strength or computational burden of the hashing algorithm. --Brett Glass At 06:51 AM 6/8/2012, Dag-Erling Smørgrav wrote: >We still have MD5 as our default password hash, even though known-hash >attacks against MD5 are relatively easy these days. We've supported >SHA256 and SHA512 for many years now, so how about making SHA512 the >default instead of MD5, like on most Linux distributions? > >Index: etc/login.conf >=================================================================== >--- etc/login.conf (revision 236616) >+++ etc/login.conf (working copy) >@@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ >- :passwd_format=md5:\ >+ :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ > >DES >-- >Dag-Erling Smørgrav - des@des.no >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > >----- >No virus found in this message. >Checked by AVG - www.avg.com >Version: 10.0.1424 / Virus Database: 2433/5055 - Release Date: 06/07/12