blf uses only 2^4 round for passwd encoding?! [Re: Default password
hash]
Oliver Pinter
oliver.pntr at gmail.com
Sun Jun 10 22:37:31 UTC 2012
http://svnweb.freebsd.org/base/head/secure/lib/libcrypt/crypt-blowfish.c?revision=231986&view=markup
145 static const char *magic = "$2a$04$";
146
147 /* Defaults */
148 minr = 'a';
149 logr = 4;
150 rounds = 1 << logr;
151
152 /* If it starts with the magic string, then skip that */
153 if(!strncmp(salt, magic, strlen(magic))) {
154 salt += strlen(magic);
155 }
grep 04 /etc/master.passwd:
root:$2a$04$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:0:0::0:0:XXX:/root:/bin/csh
xxxx:$2a$04$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:100X:100X::0:0:XXXXXXXXXXXXX:/home/xxxx:/bin/tcsh
16 rounds in 2012? It is not to weak?!
On 6/8/12, Dag-Erling Smørgrav <des at des.no> wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days. We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like on most Linux distributions?
>
> Index: etc/login.conf
> ===================================================================
> --- etc/login.conf (revision 236616)
> +++ etc/login.conf (working copy)
> @@ -23,7 +23,7 @@
> # AND SEMANTICS'' section of getcap(3) for more escape sequences).
>
> default:\
> - :passwd_format=md5:\
> + :passwd_format=sha512:\
> :copyright=/etc/COPYRIGHT:\
> :welcome=/etc/motd:\
> :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list