From owner-freebsd-questions Mon Sep 24 10:47: 9 2001 Delivered-To: freebsd-questions@freebsd.org Received: from design.freestyling.de (design.freestyling.de [195.14.253.182]) by hub.freebsd.org (Postfix) with ESMTP id 15A3A37B40E for ; Mon, 24 Sep 2001 10:47:05 -0700 (PDT) Received: from localhost (pherman@localhost) by design.freestyling.de (8.11.3/8.11.3) with ESMTP id f8OHmWD16242 for ; Mon, 24 Sep 2001 19:48:32 +0200 (CEST) (envelope-from pherman@design.freestyling.de) X-Received: from tick.sc.omation.com (64-58-167-31.cne.cox-oc.net [64.58.167.31] (may be forged)) by design.freestyling.de (8.11.3/8.11.3) with ESMTP id f8OHkwt16225 for ; Mon, 24 Sep 2001 19:47:00 +0200 (CEST) (envelope-from pherman@omation.com) X-Received: from tick.sc.omation.com (tick.sc.omation.com [192.168.128.2]) by tick.sc.omation.com (8.11.3/8.11.3) with ESMTP id f8OHjOm63152 for ; Mon, 24 Sep 2001 10:45:24 -0700 (PDT) (envelope-from pherman@omation.com) Date: Mon, 24 Sep 2001 10:39:48 -0700 (PDT) From: Paul Herman X-X-Sender: To: Nathan Mace Cc: Neil Darlow , freebsd-questions Subject: Re: How do I enable Blowfish passwords? In-Reply-To: <20010923210126.6d863b0f.mace_nathan@uchaswv.edu> Message-ID: <20010924101328.S60749-100000@tick.sc.omation.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-ReSent-Date: Mon, 24 Sep 2001 10:45:15 -0700 (PDT) X-ReSent-From: Paul Herman X-ReSent-To: X-ReSent-Subject: Re: How do I enable Blowfish passwords? X-ReSent-Message-ID: <20010924104515.W60749@tick.sc.omation.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 23 Sep 2001, Nathan Mace wrote: > i know that blowfish is a way of encrypting passwprds, but is > it better than MD5? how is it different? Hi Nathan, If you are running NIS on a network with OpenBSD, it it compatable with OpenBSD, which uses blowfish as it's default. It also allows you to change the number of iterations on the fly, which means as computers get faster, the algortihm doesn't necessarily need to be changed to prevent dictionary attacks. Try it yourself: perl -e \ '$c = crypt "password","\$2a\$04\$theblowfishsaltisverylong"; \ print "$c\n";' perl -e \ '$c = crypt "password","\$2a\$09\$theblowfishsaltisverylong"; \ print "$c\n";' perl -e \ '$c = crypt "password","\$2a\$12\$theblowfishsaltisverylong"; \ print "$c\n";' The number after the second '$' is the log2 of the number of iterations it performs to generate the hash. The default in FreeBSD is hard coded to be the minimum allowable (4 i.e. 2^4 = 16 rounds), but there is nothing stopping you from pasting any higher order hashes into master.passwd file yourself. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message