From owner-freebsd-current@FreeBSD.ORG Fri Feb 28 21:59:00 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6FB1B9C for ; Fri, 28 Feb 2014 21:59:00 +0000 (UTC) Received: from mail-qa0-x234.google.com (mail-qa0-x234.google.com [IPv6:2607:f8b0:400d:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5FD481C73 for ; Fri, 28 Feb 2014 21:59:00 +0000 (UTC) Received: by mail-qa0-f52.google.com with SMTP id m5so1253348qaj.25 for ; Fri, 28 Feb 2014 13:58:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=pg9odTSbgknEisdx9WgEEcFwy14zV4nXO5D4uKsz9HU=; b=hJfJEx0jfszIACJ/EnPV6VqpKN/vbOTWsXhP6JUxWb1ttWvWTOTkHY0GcZo0+92i/Y wPe7wEdWmvbDAydxA3Opam63IhAuJ7gxKCm7arOXgd/5zSGX0hvpoUw6fap5x+nisBpv scpEiaS0tUda4EUkTpWGigtIkwEV7AYpXKKpU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=pg9odTSbgknEisdx9WgEEcFwy14zV4nXO5D4uKsz9HU=; b=He+geyGDtbpRfVH4nBnxDGj9V8+W3buMU62O89EaiWKHu+8iMT6NbIwz8IGxVphE3G YJJ59Gm2aapZzPwC6hzPSMkI285qpNQ95g7qYNNRecxUlrp+5+zw3nC4jhwOO/AfA/Vg SXhPf9BIjOhF9Ysd7ufXUAQ7FA3ypVuaaKa1TtCF6r785QxHkWz+wTIYlWMlHZRFSTA4 miXc2E6JJEGN+iePgBZJi5UbimSvUvxy8ZyZg54h3ADGkjIdU2xmzCzY/gI/cCGHLeLf 68z9kvASyKLMK32b3I/f/eJ79Aoh7em6bvC2EYo72JnQrJgwn0lstd3in/5hT3DiGtEk uuVQ== X-Gm-Message-State: ALoCoQlBKp01AkMuA82Fns+zeGGh5D8oncawhiYgPzhWcPZRryIr5lf4VIQbP4xvilRN6uXbyqc2 X-Received: by 10.140.104.103 with SMTP id z94mr6530916qge.91.1393624739348; Fri, 28 Feb 2014 13:58:59 -0800 (PST) MIME-Version: 1.0 Received: by 10.96.147.225 with HTTP; Fri, 28 Feb 2014 13:58:29 -0800 (PST) In-Reply-To: <530FE2E9.5010902@allanjude.com> References: <530FE2E9.5010902@allanjude.com> From: Eitan Adler Date: Fri, 28 Feb 2014 16:58:29 -0500 Message-ID: Subject: Re: Feature Proposal: Transparent upgrade of crypt() algorithms To: Allan Jude Content-Type: text/plain; charset=UTF-8 Cc: FreeBSD Current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Feb 2014 21:59:00 -0000 On 27 February 2014 20:14, Allan Jude wrote: > With r262501 > (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing > the upgraded bcrypt from OpenBSD and eventually changing the default > identifier for bcrypt to $2b$ it reminded me of a feature that is often > seen in Forum software and other web apps. > > Transparent algorithm upgrade. ... I would strongly support this > I think Nick's point is you do want passwords using the "old" hash to expire are some point if they haven't been auto-converted. Password expiry is an orthogonal issue and should be up to administrator policy. > This might actually be more applicable with my next suggestion, exposing > tuneables to control the number of rounds for bcrypt and sha512crypt. As > this would make it easy to upgrade all existing bcrypt/sha512crypt > hashes from the default number of rounds (10^4 and 5000 respectively) to > higher values. Another orthogonal issue: I'd like to see the results of the password hashing competition (see: https://password-hashing.net/. -- Eitan Adler