From owner-freebsd-security@FreeBSD.ORG Tue Jun 19 18:14:01 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E8514106564A for ; Tue, 19 Jun 2012 18:14:01 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 64C678FC0C for ; Tue, 19 Jun 2012 18:14:01 +0000 (UTC) Received: by bkvi18 with SMTP id i18so6766408bkv.13 for ; Tue, 19 Jun 2012 11:14:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=M+27C4Tqm9EB8y1CiKJZURpQ60/Yo+CN9Z2+MxF3JL4=; b=pbovrrvJ+yrBrmexbCPkb9bV6b72Yc+trCEt7CFWczwIWB/TsbCPOFK+iRG6ubRlmH F/SrnzEtNRTiF4F/2iyTcX+ArrZ2wAd7BKsph2Pmg+0LUlhAwFDhsE2Mq/pZYHRFqnap Os37tmzPP9T0rflus8jnV1QZHjYWQVxqWOC4A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=M+27C4Tqm9EB8y1CiKJZURpQ60/Yo+CN9Z2+MxF3JL4=; b=d8xkc7nnjzr9l+mt/LrtgqNF4IXsDYVnPR1XPuqtMyh3yZ0SRdIqf1MO7xUfM0HgqP 6HV+nNEtk5trbYK+Sd8Z5tLevUT5oDkY0z4Jn6ud/jWNsZ/byRPjcJ6072s1iIT7jgHy YwEGqsd4bgnjBuFP/PmRNGkFGK46MH/skLApiGC/ZiExX77idMlvueIuvbhPI9aFoMrn pA9xhbB0dS7jKbvYbBz7f5mFcKyiDeF0dn/n02D3lHFCdOiOe/4sS5wTwJB2r18Fzubk f4dZN9RDcPYKSGlrum37L1RHUzL/y0OA/vZ5F4XZab/vgSwwELHup1LKfLZ0W3Bkx8HW 4mdg== MIME-Version: 1.0 Received: by 10.204.154.138 with SMTP id o10mr6616719bkw.34.1340129640265; Tue, 19 Jun 2012 11:14:00 -0700 (PDT) Sender: simon@qxnitro.org Received: by 10.205.39.199 with HTTP; Tue, 19 Jun 2012 11:14:00 -0700 (PDT) X-Originating-IP: [78.152.219.166] Received: by 10.205.39.199 with HTTP; Tue, 19 Jun 2012 11:14:00 -0700 (PDT) In-Reply-To: References: Date: Tue, 19 Jun 2012 19:14:00 +0100 X-Google-Sender-Auth: ARt4uncsL-6lOqzhRLlUFHEfzqw Message-ID: From: "Simon L. B. Nielsen" To: Maxim Khitrov X-Gm-Message-State: ALoCoQnU57c/x9yYlBK+mM6YdFB0nEaoHPSfL77c5sqR1U+2jS9dAPozEiehxJPSuXTfzbehZv56 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org, ian ivy Subject: Re: Default password encryption method. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 18:14:02 -0000 On Jun 19, 2012 3:16 PM, "Maxim Khitrov" wrote: > > On Tue, Jun 19, 2012 at 10:10 AM, ian ivy wrote: > > Hello, > > > > By default FreeBSD uses MD5 to encrypt passwords. MD5 is believed to be > > more secure than e.g. DES but less than e.g. SHA512. Currently several > > major Linux distributions, uses a SHA512 mechanism. Suse Linux also offers > > a blowfish. > > > > Some Debian based distributions use MD5-based algorithm compatible with the > > one > > used by recent releases of FreeBSD - but mostly this variable (* > > MD5_CRYPT_ENAB*) > > is deprecated, and SHA512-based algorithm is used. > > > > Of course, in FreeBSD we can change the MD5 for example to BLF, > > but, it will be not a better solution to use SHA512 by default? > > This has been discussed recently in the following thread: > > http://lists.freebsd.org/pipermail/freebsd-security/2012-June/006271.html The FreeBSD Security Team is also looking at (/poking people to look at) solutions which will improve the the time it takes to brute force passwords significantly more. -- Simon