From owner-freebsd-security@FreeBSD.ORG  Sun Jun 10 22:37:31 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BC184106566B
	for <freebsd-security@freebsd.org>;
	Sun, 10 Jun 2012 22:37:31 +0000 (UTC)
	(envelope-from oliver.pntr@gmail.com)
Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com
	[209.85.213.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 78AC58FC18
	for <freebsd-security@freebsd.org>;
	Sun, 10 Jun 2012 22:37:31 +0000 (UTC)
Received: by yenl8 with SMTP id l8so2391487yen.13
	for <freebsd-security@freebsd.org>;
	Sun, 10 Jun 2012 15:37:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=EcdFM5sRwDfDC/lagI3v9gT0ROgeQolErVMpq51WlF8=;
	b=sX4wxT+soIlTZ4vtJJwMiONtWe0ZBrbzOaSVcEKaCnG1RpJHVwG3njPwddUzQwtE5d
	HQRCNoievCyCSXk1X7aFGpU1ucV3JLQo6Q1fFfETt/sRdG0ZQX1/I8q1cjE56tUW72Ed
	yhJ71ME2fVIYAZddhbBBKwfp3IARNDPsLuitnAka7z6jzFcrWELXTTq0PijxJ/G9k9Hq
	Krqvre2wcLCQJfQ7hCIF70e5WswND3QOOZFEleQ+c751dxIkueI+M0eknf9K8huG3g8w
	iUlwD4HNkmQ0E+RgjvH25pAf5LMeql+YPUaoX6x/E6n1odS6+mb//vZO7jtrtXgyFZwW
	QCWA==
MIME-Version: 1.0
Received: by 10.236.181.199 with SMTP id l47mr17632085yhm.85.1339367850874;
	Sun, 10 Jun 2012 15:37:30 -0700 (PDT)
Received: by 10.236.46.233 with HTTP; Sun, 10 Jun 2012 15:37:30 -0700 (PDT)
Date: Mon, 11 Jun 2012 00:37:30 +0200
Message-ID: <CAPjTQNGOLfb64rtz3gu4xGF8aqzcjD5QBEjM_gwwAykKQoyWgA@mail.gmail.com>
From: Oliver Pinter <oliver.pntr@gmail.com>
To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= <des@des.no>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
Subject: blf uses only 2^4 round for passwd encoding?! [Re: Default password
	hash]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jun 2012 22:37:31 -0000

http://svnweb.freebsd.org/base/head/secure/lib/libcrypt/crypt-blowfish.c?re=
vision=3D231986&view=3Dmarkup

145          static const char     *magic =3D "$2a$04$";
  146
  147                  /* Defaults */
  148          minr =3D 'a';
  149          logr =3D 4;
  150          rounds =3D 1 << logr;
  151
  152          /* If it starts with the magic string, then skip that */
  153          if(!strncmp(salt, magic, strlen(magic))) {
  154                  salt +=3D strlen(magic);
  155          }

grep 04 /etc/master.passwd:
root:$2a$04$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:0:0::0:0:=
XXX:/root:/bin/csh
xxxx:$2a$04$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:100X:100X=
::0:0:XXXXXXXXXXXXX:/home/xxxx:/bin/tcsh

16 rounds in 2012? It is not to weak?!

On 6/8/12, Dag-Erling Sm=F8rgrav <des@des.no> wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days.  We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like on most Linux distributions?
>
> Index: etc/login.conf
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- etc/login.conf      (revision 236616)
> +++ etc/login.conf      (working copy)
> @@ -23,7 +23,7 @@
>  # AND SEMANTICS'' section of getcap(3) for more escape sequences).
>
>  default:\
> -       :passwd_format=3Dmd5:\
> +       :passwd_format=3Dsha512:\
>         :copyright=3D/etc/COPYRIGHT:\
>         :welcome=3D/etc/motd:\
>         :setenv=3DMAIL=3D/var/mail/$,BLOCKSIZE=3DK,FTP_PASSIVE_MODE=3DYES=
:\
>
> DES
> --
> Dag-Erling Sm=F8rgrav - des@des.no
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or=
g"
>