Date: Sun, 27 May 2018 16:14:18 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Mark Felder <feld@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: Default password hash, redux Message-ID: <20180527231418.GG4982@funkthat.com> In-Reply-To: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com> References: <1527111631.2205598.1382649664.0BF85F15@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Felder wrote this message on Wed, May 23, 2018 at 16:40 -0500:
> Around 2012[1] we made the brave switch from md5crypt to sha512. Some people were asking for bcrypt to be default, and others were hoping we would see pbkdf2 support. We went with compatible. Additionally, making password hashing more
>
> In light of this new article[2] I would like to rehash (pun intended) this conversation and also mention a bug report[3] we've been sitting on in some form for 12 years[4] with usable code that would make working with password hashing algorithms easier and the rounds configurable by the admin.
I'd like to see it set where we set a time, say 50ms or so, and on each
boot, we set the rounds based upon this. (obviously configurable), w/ a
minimum maybe for slower systems... This allows us to autoscale to faster
cpu systems...
I believe that there are patches/review for making the default password
hash algorithm configurable via login.conf or something similar.. so some
of the work has already been done..
> I'd also like to see us to pull in scrypt if cperciva doesn't have any objections. It's good to have options.
Yes, pulling in scrypt and/or argon2 is a great idea...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180527231418.GG4982>