Date: Fri, 29 Jan 2010 00:33:25 +0100 From: Dan Lukes <dan@obluda.cz> To: Mike Andrews <mandrews@bit0.com> Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore Message-ID: <4B621EC5.3030400@obluda.cz> In-Reply-To: <alpine.BSF.2.00.1001281738110.43056@beast.int.bit0.com> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B620DAC.4080608@bit0.com> <alpine.BSF.2.00.1001281738110.43056@beast.int.bit0.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/28/10 23:44, Mike Andrews: >> all my password hashes are in the format "$2a$04$salthash" -- with the "04" >> being the (default) number of rounds of Blowfish to run > There is probably a login.conf knob to raise the default number of > rounds beyond 2^4. No. The standard way of password change flow trough pam_unix.c. It call crypt(new_pass, salt) where salt is pseudo-random sequence. As such salt doesn't start with a magic, the default algorithm is selected. If it si blowfish, then crypt_blowfish(key, salt) is called. As the random salt doesn't start with $2a$ magic it is not considered to be '$2a$nn$salt'-like string. Then default number (04) is used all the times. Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B621EC5.3030400>