From owner-freebsd-security@FreeBSD.ORG Sat Jun 9 11:34:24 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 604E1106566B for ; Sat, 9 Jun 2012 11:34:24 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 24C9A8FC1C for ; Sat, 9 Jun 2012 11:34:24 +0000 (UTC) Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id q59BYLHV038364; Sat, 9 Jun 2012 07:34:21 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4FD334BE.4020900@sentex.net> Date: Sat, 09 Jun 2012 07:34:22 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <86r4tqotjo.fsf@ds4.des.no> In-Reply-To: <86r4tqotjo.fsf@ds4.des.no> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18 Cc: freebsd-security@freebsd.org Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2012 11:34:24 -0000 On 6/8/2012 8:51 AM, Dag-Erling Smørgrav wrote: > We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions? Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its currently not there. RELENG_7 is supported until 2013 Sort of a security issue considering this assessment of MD5 http://phk.freebsd.dk/sagas/md5crypt_eol.html ---Mike > > Index: etc/login.conf > =================================================================== > --- etc/login.conf (revision 236616) > +++ etc/login.conf (working copy) > @@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ > - :passwd_format=md5:\ > + :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ > > DES -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/