Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 9 Jun 2012 17:41:09 +0100
From:      RW <rwmaillists@googlemail.com>
To:        freebsd-security@freebsd.org
Subject:   Re: Default password hash
Message-ID:  <20120609174109.1e100b64@gumby.homeunix.com>
In-Reply-To: <4FD334BE.4020900@sentex.net>
References:  <86r4tqotjo.fsf@ds4.des.no> <4FD334BE.4020900@sentex.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 09 Jun 2012 07:34:22 -0400
Mike Tancsa wrote:

> On 6/8/2012 8:51 AM, Dag-Erling Sm=F8rgrav wrote:
> > We still have MD5 as our default password hash, even though
> > known-hash attacks against MD5 are relatively easy these days.
> > We've supported SHA256 and SHA512 for many years now, so how about
> > making SHA512 the default instead of MD5, like on most Linux
> > distributions?
>=20
> Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ?  Its
> currently not there.
>=20
> RELENG_7 is supported until 2013
>=20
> Sort of a security issue=20

Lets not forget that this is an attack against insecure passwords
performed after an attacker has already gained root or physical access.


> considering this assessment of MD5
>=20
> http://phk.freebsd.dk/sagas/md5crypt_eol.html

In the context of that all the existing algorithms are pretty insecure.
The people that are doing this are brute forcing passwords; the
cryptographic merits of the underlying hash are immaterial, except in
as far as they slow things down.=20

I would estimate that md5crypt vs sha512crypt is roughly:

2.5 * (5000rounds/1000rounds) *  (512bits/128bits) =3D 50

to put that in context, going from simple md5 to md5crypt is factor of
~1024.

50 is equivalent to less than 6bits of password entropy. In some cases
it may make little difference to the percentage of passwords cracked.



=20




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120609174109.1e100b64>