Date: Mon, 11 Jun 2012 12:51:47 +0100 From: "Simon L. B. Nielsen" <simon@FreeBSD.org> To: Lev Serebryakov <lev@freebsd.org> Cc: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= <des@des.no>, freebsd-security@freebsd.org Subject: Re: Default password hash Message-ID: <CAC8HS2EKQTWSE%2BtD5Y68E6YRiJjjogSEgXPBeqDH3b-cO_-DAQ@mail.gmail.com> In-Reply-To: <734419687.20120611144402@serebryakov.spb.ru> References: <86r4tqotjo.fsf@ds4.des.no> <6E26E03B-8D1D-44D3-B94E-0552BE5CA894@FreeBSD.org> <734419687.20120611144402@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 11, 2012 at 11:44 AM, Lev Serebryakov <lev@freebsd.org> wrote: > Hello, Simon. > You wrote 10 =D0=B8=D1=8E=D0=BD=D1=8F 2012 =D0=B3., 14:02:50: > > SLBN> Has anyone looked at how long the SHA512 password hashing > SLBN> actually takes on modern computers? > =C2=A0Modern =C2=A0computers =C2=A0are =C2=A0not what should you afraid. = Modern GPUs are. > And they are incredibly fast in calculation of MD5, SHA-1 and SHA-2. > > =C2=A0Modern key-derivation schemes must be RAM-heavy, not CPU-heavy. But the modern CPU's will limit the number of rounds you can use for a hash (if you use same system as md5crypt), as you can't let users wait 10+ seconds to check their password. > =C2=A0And =C2=A0 I =C2=A0 don't =C2=A0 understand, =C2=A0 why =C2=A0shoul= d =C2=A0we =C2=A0use =C2=A0our =C2=A0home-grown > "strengthening" algorithms instead of "standard" choices: PBKDF2[1], > bcrypt[2] and (my favorite) scrypt[3]. Recall that FreeBSD's MD5 strengthening probably predates most of the other systems by a while (I'm too lazy to look it up). That said, I generally agree we should go with something standard or existing unless there is a very good reason not to. PBKDF2 / RFC2898 is what GELI uses (which I mentioned previously). > [1] http://tools.ietf.org/html/rfc2898 > [2] http://static.usenix.org/events/usenix99/provos/provos_html/node1.htm= l > [3] http://www.tarsnap.com/scrypt.html --=20 Simon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC8HS2EKQTWSE%2BtD5Y68E6YRiJjjogSEgXPBeqDH3b-cO_-DAQ>