From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:44:25 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B31E010656A6 for ; Thu, 28 Jan 2010 22:44:25 +0000 (UTC) (envelope-from mandrews@bit0.com) Received: from magnum.bit0.com (magnum.bit0.com [207.246.88.226]) by mx1.freebsd.org (Postfix) with ESMTP id 6D2DB8FC31 for ; Thu, 28 Jan 2010 22:44:25 +0000 (UTC) Received: from magnum.int.bit0.com (localhost [127.0.0.1]) by magnum.bit0.com (Postfix) with ESMTP id C90B4E8EC for ; Thu, 28 Jan 2010 17:44:24 -0500 (EST) X-Virus-Scanned: amavisd-new at bit0.com Received: from magnum.bit0.com ([127.0.0.1]) by magnum.int.bit0.com (magnum.int.bit0.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id roU6x9JJVKHm for ; Thu, 28 Jan 2010 17:44:21 -0500 (EST) Received: from beast.int.bit0.com (beast.int.bit0.com [172.27.0.2]) by magnum.bit0.com (Postfix) with ESMTP for ; Thu, 28 Jan 2010 17:44:21 -0500 (EST) Date: Thu, 28 Jan 2010 17:44:19 -0500 (EST) From: Mike Andrews X-X-Sender: mandrews@beast.int.bit0.com To: freebsd-security@freebsd.org In-Reply-To: <4B620DAC.4080608@bit0.com> Message-ID: References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B620DAC.4080608@bit0.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:44:25 -0000 On Thu, 28 Jan 2010, Mike Andrews wrote: > On 1/28/10 3:18 PM, Chris Palmer wrote: >> For backwards compatibility, which do people prefer: Creating a new $N$ >> prefix every time we re-tune the algorithm, or using a new notation to say >> how many times this password was hashed? For example: $1.1000$, $1.100000$, >> et c.? >> >> I prefer the latter. It can work with Blowfish, too, and anything else >> people come up with in the future. > > The Blowfish one already has that feature. > > A long time ago (like FreeBSD 6.something, maybe earlier) I changed all my > /etc/login.conf files to set "passwd_format=blf" and all my password hashes > are in the format "$2a$04$salthash" -- with the "04" being the (default) > number of rounds of Blowfish to run. I have some users where it's set to 11 > rounds, and as you'd expect, it puts a pretty big hurt on the ability of > things like John The Ripper to attack the hashes. Actaully that's not the number of rounds, it's the log2() of the number of rounds. So 04 is really 2^4=16 rounds (the minimum), 11 is 2^11=2048 rounds, and the maximum is 31 -- which as the source code states, oughta scale pretty well for a while. :) See /usr/src/secure/lib/libcrypt/crypt-blowfish.c There is probably a login.conf knob to raise the default number of rounds beyond 2^4. But the point remains: look at what FreeBSD already has. :)