From owner-freebsd-security@freebsd.org Sat Jun 2 18:20:43 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B00C7FDFE0B for ; Sat, 2 Jun 2018 18:20:43 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3043270768; Sat, 2 Jun 2018 18:20:42 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id w52IKXPF017498 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 2 Jun 2018 11:20:33 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id w52IKWtW017467; Sat, 2 Jun 2018 11:20:32 -0700 (PDT) (envelope-from jmg) Date: Sat, 2 Jun 2018 11:20:32 -0700 From: John-Mark Gurney To: Mark Felder , freebsd-security@freebsd.org, Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Subject: Re: Default password hash, redux Message-ID: <20180602182032.GK4982@funkthat.com> Mail-Followup-To: Mark Felder , freebsd-security@freebsd.org, Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86vab4ydja.fsf@next.des.no> <20180527231418.GG4982@funkthat.com> X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sat, 02 Jun 2018 11:20:33 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jun 2018 18:20:44 -0000 > > I believe that there are patches/review for making the default password > hash algorithm configurable via login.conf or something similar.. so some > of the work has already been done.. > > > I'd also like to see us to pull in scrypt if cperciva doesn't have any objections. It's good to have options. > > Yes, pulling in scrypt and/or argon2 is a great idea... > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" Dag-Erling Smrgrav wrote this message on Thu, May 31, 2018 at 00:38 +0200: > John-Mark Gurney writes: > > I believe that there are patches/review for making the default password > > hash algorithm configurable via login.conf or something similar... > > You mean like r64918? No, I don't. Sorry, I wasn't specific enough in my comment, but you also dropped the context of that statment: John-Mark Gurney wrote this message on Sun, May 27, 2018 at 16:14 -0700: > Mark Felder wrote this message on Wed, May 23, 2018 at 16:40 -0500: > > In light of this new article[2] I would like to rehash (pun intended) this conversation and also mention a bug report[3] we've been sitting on in some form for 12 years[4] with usable code that would make working with password hashing algorithms easier and the rounds configurable by the admin. > > I'd like to see it set where we set a time, say 50ms or so, and on each > boot, we set the rounds based upon this. (obviously configurable), w/ a > minimum maybe for slower systems... This allows us to autoscale to faster > cpu systems... r64918 does not allow you to set default number of rounds... there is a patch in bugzilla or phabricator that allows you to set this.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."