From owner-freebsd-security@FreeBSD.ORG Tue Jun 19 14:10:07 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F9B0106566B for ; Tue, 19 Jun 2012 14:10:07 +0000 (UTC) (envelope-from sidetripping@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3DF7D8FC16 for ; Tue, 19 Jun 2012 14:10:07 +0000 (UTC) Received: by dadv36 with SMTP id v36so9084356dad.13 for ; Tue, 19 Jun 2012 07:10:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=UU+FUGn1qWCUXWU5+a3a8WvPg/xAxAH62T+wzGlnJ2M=; b=o/yjQLlrK2Mm4o/7HBWvmqkSYoDKex134sj4T6lOJffOrEK6rV1izaDDg51upubMo2 src3E75xpitk8QM2S8cXwPH8YvQzcIJbx6AgkDZSOPVJVtl/T2Pknbf6MSLLcpVyctUC nauHmX/Cxptj/YtQsstx+i3pL/qUM8wKFCpdGR50Yc0Ul2HxQiO4P9ktwazsIO7apY5i 2S2aJiEi+sKzbCVr/+ZjhQIhC1JT9ZUuaDLC4IovtpgxY1X/oiT+YouLGxrCkBQNwT1j ZcYTY+S+JbFQUEfvDRJWpwutBYcH+KJmGgvVPBP7S4sHBf23vB+MIkuX5EWUkHhR72xN 21rA== MIME-Version: 1.0 Received: by 10.68.237.74 with SMTP id va10mr64461959pbc.46.1340115006554; Tue, 19 Jun 2012 07:10:06 -0700 (PDT) Received: by 10.66.79.73 with HTTP; Tue, 19 Jun 2012 07:10:06 -0700 (PDT) Date: Tue, 19 Jun 2012 16:10:06 +0200 Message-ID: From: ian ivy To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Default password encryption method. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 14:10:07 -0000 Hello, By default FreeBSD uses MD5 to encrypt passwords. MD5 is believed to be more secure than e.g. DES but less than e.g. SHA512. Currently several major Linux distributions, uses a SHA512 mechanism. Suse Linux also offers a blowfish. Some Debian based distributions use MD5-based algorithm compatible with the one used by recent releases of FreeBSD - but mostly this variable (* MD5_CRYPT_ENAB*) is deprecated, and SHA512-based algorithm is used. Of course, in FreeBSD we can change the MD5 for example to BLF, but, it will be not a better solution to use SHA512 by default?