PHK's MD5 might not be slow enough anymore
Mike Andrews
mandrews at bit0.com
Thu Jan 28 22:44:25 UTC 2010
On Thu, 28 Jan 2010, Mike Andrews wrote:
> On 1/28/10 3:18 PM, Chris Palmer wrote:
>> For backwards compatibility, which do people prefer: Creating a new $N$
>> prefix every time we re-tune the algorithm, or using a new notation to say
>> how many times this password was hashed? For example: $1.1000$, $1.100000$,
>> et c.?
>>
>> I prefer the latter. It can work with Blowfish, too, and anything else
>> people come up with in the future.
>
> The Blowfish one already has that feature.
>
> A long time ago (like FreeBSD 6.something, maybe earlier) I changed all my
> /etc/login.conf files to set "passwd_format=blf" and all my password hashes
> are in the format "$2a$04$salthash" -- with the "04" being the (default)
> number of rounds of Blowfish to run. I have some users where it's set to 11
> rounds, and as you'd expect, it puts a pretty big hurt on the ability of
> things like John The Ripper to attack the hashes.
Actaully that's not the number of rounds, it's the log2() of the number of
rounds. So 04 is really 2^4=16 rounds (the minimum), 11 is 2^11=2048
rounds, and the maximum is 31 -- which as the source code states, oughta
scale pretty well for a while. :)
See /usr/src/secure/lib/libcrypt/crypt-blowfish.c
There is probably a login.conf knob to raise the default number of rounds
beyond 2^4.
But the point remains: look at what FreeBSD already has. :)
More information about the freebsd-security
mailing list