From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:36:55 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06F5E106566C for ; Thu, 28 Jan 2010 22:36:55 +0000 (UTC) (envelope-from mandrews@bit0.com) Received: from magnum.bit0.com (magnum.bit0.com [207.246.88.226]) by mx1.freebsd.org (Postfix) with ESMTP id BB0018FC14 for ; Thu, 28 Jan 2010 22:36:54 +0000 (UTC) Received: from millenniumforce.int.bit0.com (nat.bit0.com [207.246.88.210]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by magnum.bit0.com (Postfix) with ESMTPSA id 3D4418923 for ; Thu, 28 Jan 2010 17:20:29 -0500 (EST) Message-ID: <4B620DAC.4080608@bit0.com> Date: Thu, 28 Jan 2010 17:20:28 -0500 From: Mike Andrews User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> In-Reply-To: <20100128201857.GP892@noncombatant.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:36:55 -0000 On 1/28/10 3:18 PM, Chris Palmer wrote: > For backwards compatibility, which do people prefer: Creating a new $N$ > prefix every time we re-tune the algorithm, or using a new notation to say > how many times this password was hashed? For example: $1.1000$, $1.100000$, > et c.? > > I prefer the latter. It can work with Blowfish, too, and anything else > people come up with in the future. The Blowfish one already has that feature. A long time ago (like FreeBSD 6.something, maybe earlier) I changed all my /etc/login.conf files to set "passwd_format=blf" and all my password hashes are in the format "$2a$04$salthash" -- with the "04" being the (default) number of rounds of Blowfish to run. I have some users where it's set to 11 rounds, and as you'd expect, it puts a pretty big hurt on the ability of things like John The Ripper to attack the hashes. Just making sure we aren't suggesting reinventing a wheel here :) Even 4 rounds of Blowfish is far slower than 1000 rounds of MD5, and 1000 rounds of MD5 is far slower than DES. And yeah, fear of MD5 collisions is totally irrelevant here. If you're really that worried about MD5 anyway, just change "passwd_format=md5" to "passwd_format=blf" in your login.conf's default section and be happy :)