Date: Sat, 09 Jun 2012 07:34:22 -0400 From: Mike Tancsa <mike@sentex.net> To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= <des@des.no> Cc: freebsd-security@freebsd.org Subject: Re: Default password hash Message-ID: <4FD334BE.4020900@sentex.net> In-Reply-To: <86r4tqotjo.fsf@ds4.des.no> References: <86r4tqotjo.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/8/2012 8:51 AM, Dag-Erling Smørgrav wrote: > We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions? Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its currently not there. RELENG_7 is supported until 2013 Sort of a security issue considering this assessment of MD5 http://phk.freebsd.dk/sagas/md5crypt_eol.html ---Mike > > Index: etc/login.conf > =================================================================== > --- etc/login.conf (revision 236616) > +++ etc/login.conf (working copy) > @@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ > - :passwd_format=md5:\ > + :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ > > DES -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FD334BE.4020900>