PHK's MD5 might not be slow enough anymore
Mike Andrews
mandrews at bit0.com
Thu Jan 28 22:36:55 UTC 2010
On 1/28/10 3:18 PM, Chris Palmer wrote:
> For backwards compatibility, which do people prefer: Creating a new $N$
> prefix every time we re-tune the algorithm, or using a new notation to say
> how many times this password was hashed? For example: $1.1000$, $1.100000$,
> et c.?
>
> I prefer the latter. It can work with Blowfish, too, and anything else
> people come up with in the future.
The Blowfish one already has that feature.
A long time ago (like FreeBSD 6.something, maybe earlier) I changed all
my /etc/login.conf files to set "passwd_format=blf" and all my password
hashes are in the format "$2a$04$salthash" -- with the "04" being the
(default) number of rounds of Blowfish to run. I have some users where
it's set to 11 rounds, and as you'd expect, it puts a pretty big hurt on
the ability of things like John The Ripper to attack the hashes.
Just making sure we aren't suggesting reinventing a wheel here :)
Even 4 rounds of Blowfish is far slower than 1000 rounds of MD5, and
1000 rounds of MD5 is far slower than DES. And yeah, fear of MD5
collisions is totally irrelevant here.
If you're really that worried about MD5 anyway, just change
"passwd_format=md5" to "passwd_format=blf" in your login.conf's default
section and be happy :)
More information about the freebsd-security
mailing list