From owner-freebsd-security Fri May 17 12:30:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from inord.no (oluf.et-n.no [213.161.160.12]) by hub.freebsd.org (Postfix) with ESMTP id E0E0337B401 for ; Fri, 17 May 2002 12:29:11 -0700 (PDT) Received: from erik [213.161.168.206] by inord.no with ESMTP (SMTPD32-7.06) id A9793EE00CC; Fri, 17 May 2002 18:02:01 +0200 From: =?iso-8859-1?Q?Erik_Paulsen_Sk=E5lerud?= To: =?iso-8859-1?Q?'Erik_Paulsen_Sk=E5lerud'?= , "'Paul Herman'" , "'Matthew Hunt'" Cc: "'Jesper Wallin'" , , Subject: RE: How secure is a password and how many characters does it allow? Date: Fri, 17 May 2002 18:05:37 +0200 Message-ID: <000201c1fdbc$b2b4b1f0$cea8a1d5@erik> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 In-Reply-To: <006101c1fdba$4b4bfca0$cea8a1d5@erik> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I found out. Just change one line in /etc/auth.conf Oh well :) Erik. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Erik Paulsen Sk=E5lerud Sent: Friday, May 17, 2002 5:48 PM To: 'Paul Herman'; 'Matthew Hunt' Cc: 'Jesper Wallin'; pulz@pulz.no; security@FreeBSD.ORG Subject: RE: How secure is a password and how many characters does it allow? You say that adduser uses DES, while the system defaults to MD5. How do you add users then? Using pw useradd etc? Erik Paulsen -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Paul Herman Sent: Friday, May 17, 2002 5:03 AM To: Matthew Hunt Cc: Jesper Wallin; pulz@pulz.no; security@FreeBSD.ORG Subject: Re: How secure is a password and how many characters does it allow? On Thu, 16 May 2002, Matthew Hunt wrote: > On Fri, May 17, 2002 at 12:22:40AM +0200, Jesper Wallin wrote: > > > How will that effect my security? Isn't it more secure to use 128 > > characters instead of 8? Sounds like, if the security was the same=20 > > the blowfish would be default or something similar.. What do You=20 > > recommend? > > DES is the traditional algorithm, and is probably the default for > interoperability with old software and NIS. I've used MD5 for years=20 > with no trouble for the longer password support. If you don't run=20 > NIS, then I don't think there's any reason to stick with DES. OK, here's a quick rundown, some of which has been stated in this thread already. Hash Max significant password characters ------------------------------------------ DES 8 MD5 >512K (only tested up to 512K) Blowfish 72 MD5 *is* the default in FreeBSD (see /etc/login.conf) unless you use adduser(8) perl script, which still generates the older DES password hashes. Also, it was stated that the Blowfish hash is faster. The Blowfish password hash is, in fact, slower. Quick testing shows that the default Blowfish seems to be roughly 50% slower than MD5. This is a Good Thing if you want to protect against brute force guessers. Not only that, the algorithm scales better with time, because you can set the number of iterations for the hash within the salt itself. The default is hardcoded for now to be 2^4=3D16 in /usr/src/secure/lib/libcrypt/crypt-blofish.c:crypt_blowfish(), but you can change this "on the fly" and put it in your own /etc/master.passwd by providing the salt yourself: bash$ perl-e 'print crypt("secret", "\$2a\$04\$salt") '; echo $2a$04$salt............kC2SI.F9h7C15VchgS17zSObA10b/m9d6c.xa bash$ perl-e 'print crypt("secret", "\$2a\$06\$salt") '; echo $2a$06$salt............kC2SI.pIUU5dNGIJMpP6Fe73WiLDWgq9hZNgO bash$ perl-e 'print crypt("secret", "\$2a\$08\$salt") '; echo $2a$08$salt............kC2SI.QSKa17W8d4Tf9v/Hxo4DeCxL8Amj7cm Lastly, all can be used in NIS, provided all OSes can understand the hash (which is probably what Matt meant.) In fact, I've used MD5 in NIS for years now, with mixed Linux and FreeBSD systems. Only recently has RedHat modified thier MD5 hash algorithm to include a wider range characters. :-( Hope that clears things up, -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message