Default password hash
Mike Tancsa
mike at sentex.net
Sat Jun 9 11:34:24 UTC 2012
On 6/8/2012 8:51 AM, Dag-Erling Smørgrav wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days. We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like on most Linux distributions?
Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its
currently not there.
RELENG_7 is supported until 2013
Sort of a security issue considering this assessment of MD5
http://phk.freebsd.dk/sagas/md5crypt_eol.html
---Mike
>
> Index: etc/login.conf
> ===================================================================
> --- etc/login.conf (revision 236616)
> +++ etc/login.conf (working copy)
> @@ -23,7 +23,7 @@
> # AND SEMANTICS'' section of getcap(3) for more escape sequences).
>
> default:\
> - :passwd_format=md5:\
> + :passwd_format=sha512:\
> :copyright=/etc/COPYRIGHT:\
> :welcome=/etc/motd:\
> :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
>
> DES
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-security
mailing list