Date: Fri, 28 Feb 2014 16:58:29 -0500 From: Eitan Adler <lists@eitanadler.com> To: Allan Jude <freebsd@allanjude.com> Cc: FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: Feature Proposal: Transparent upgrade of crypt() algorithms Message-ID: <CAF6rxg=MeR9742DjxiRBxjaK=hCN4pZpKL8Tjd%2BVq=f75Ym4zA@mail.gmail.com> In-Reply-To: <530FE2E9.5010902@allanjude.com> References: <530FE2E9.5010902@allanjude.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27 February 2014 20:14, Allan Jude <freebsd@allanjude.com> wrote: > With r262501 > (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing > the upgraded bcrypt from OpenBSD and eventually changing the default > identifier for bcrypt to $2b$ it reminded me of a feature that is often > seen in Forum software and other web apps. > > Transparent algorithm upgrade. ... I would strongly support this > I think Nick's point is you do want passwords using the "old" hash to expire are some point if they haven't been auto-converted. Password expiry is an orthogonal issue and should be up to administrator policy. > This might actually be more applicable with my next suggestion, exposing > tuneables to control the number of rounds for bcrypt and sha512crypt. As > this would make it easy to upgrade all existing bcrypt/sha512crypt > hashes from the default number of rounds (10^4 and 5000 respectively) to > higher values. Another orthogonal issue: I'd like to see the results of the password hashing competition (see: https://password-hashing.net/. -- Eitan Adler
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxg=MeR9742DjxiRBxjaK=hCN4pZpKL8Tjd%2BVq=f75Ym4zA>