From owner-freebsd-security@FreeBSD.ORG  Sat Jun  9 04:02:04 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B9E76106564A
	for <freebsd-security@freebsd.org>;
	Sat,  9 Jun 2012 04:02:04 +0000 (UTC)
	(envelope-from rsimmons0@gmail.com)
Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com
	[209.85.220.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 6F0CA8FC15
	for <freebsd-security@freebsd.org>;
	Sat,  9 Jun 2012 04:02:04 +0000 (UTC)
Received: by vcbfy7 with SMTP id fy7so1653482vcb.13
	for <freebsd-security@freebsd.org>;
	Fri, 08 Jun 2012 21:01:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type:content-transfer-encoding;
	bh=beofKzdmS8cHXaCErl0JWGo8FcS3h0QjnnlivcyOoI4=;
	b=DFJJG5sr7xTvavSj3zUNSz2HcMhaYi47eyS3yxmxTdConLo3/btt7nx25ieJTv5xIv
	0PWR6T8eYa4T8HYrZYd10dGBNPWys+QHRl46NdkPYpZqQTnPeveW+7pIMqA/gGe7hESd
	moE/+l6ALYkyxgQpO8dkzVyWgrOaDnSkbIJdaOieoNcmWQ4M/UnuBLJ86zkK8/bOoKZY
	f1VNeubqzk/MZo1om58u2tqU3/PCYVeqpGmlYKdAgygnq35MOtPnYQ+m6mXc13vkppQt
	q9LF4ka5orqRbOKNiHHHXgIyr/pbNKirUaogOwH7oO4uwuGpt+ZOTwZNQZJ5WXwz657L
	RDuQ==
MIME-Version: 1.0
Received: by 10.220.226.68 with SMTP id iv4mr8166198vcb.21.1339214518019; Fri,
	08 Jun 2012 21:01:58 -0700 (PDT)
Received: by 10.52.113.97 with HTTP; Fri, 8 Jun 2012 21:01:57 -0700 (PDT)
In-Reply-To: <CAJcQMWdMp-ATdTzq6CNcy6dAUzZ98w2snT=u_cM=qLvQznAn_w@mail.gmail.com>
References: <86r4tqotjo.fsf@ds4.des.no>
	<CAJcQMWdMp-ATdTzq6CNcy6dAUzZ98w2snT=u_cM=qLvQznAn_w@mail.gmail.com>
Date: Sat, 9 Jun 2012 00:01:57 -0400
Message-ID: <CA+QLa9Cu5p9PWLp+qojdkXSsKvJKKVZ+GJCKF=+H1DVVbtE0hg@mail.gmail.com>
From: Robert Simmons <rsimmons0@gmail.com>
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: Default password hash
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jun 2012 04:02:04 -0000

On Fri, Jun 8, 2012 at 9:06 AM, Maxim Khitrov <max@mxcrypt.com> wrote:
> On Fri, Jun 8, 2012 at 8:51 AM, Dag-Erling Sm=F8rgrav <des@des.no> wrote:
>> We still have MD5 as our default password hash, even though known-hash
>> attacks against MD5 are relatively easy these days. =A0We've supported
>> SHA256 and SHA512 for many years now, so how about making SHA512 the
>> default instead of MD5, like on most Linux distributions?
>
> If SHA-2 hashes have been supported for many years, why haven't the
> man pages been updated? login.conf(5) on 9.0-RELEASE still only lists
> "des", "md5", and "blf". I've been using the latter on my systems.

Yes, I think at least listing all the supported algorithms in the
login.conf man page is of utmost importance.  I've been using blowfish
since it was introduced to FreeBSD over 12 years ago, but I had no
idea that any other algorithms were possible/available until now.