PHK's MD5 might not be slow enough anymore
Dan Lukes
dan at obluda.cz
Fri Jan 29 00:23:37 UTC 2010
On 01/28/10 23:44, Mike Andrews:
>> all my password hashes are in the format "$2a$04$salthash" -- with the "04"
>> being the (default) number of rounds of Blowfish to run
> There is probably a login.conf knob to raise the default number of
> rounds beyond 2^4.
No. The standard way of password change flow trough pam_unix.c.
It call crypt(new_pass, salt) where salt is pseudo-random sequence. As
such salt doesn't start with a magic, the default algorithm is selected.
If it si blowfish, then crypt_blowfish(key, salt) is called.
As the random salt doesn't start with $2a$ magic it is not considered to
be '$2a$nn$salt'-like string. Then default number (04) is used all the
times.
Dan
More information about the freebsd-security
mailing list