PHK's MD5 might not be slow enough anymore

[Mike Andrews]

On Thu, 28 Jan 2010, Mike Andrews wrote:

> On 1/28/10 3:18 PM, Chris Palmer wrote:
>> For backwards compatibility, which do people prefer: Creating a new $N$
>> prefix every time we re-tune the algorithm, or using a new notation to say
>> how many times this password was hashed? For example: $1.1000$, $1.100000$,
>> et c.?
>> 
>> I prefer the latter. It can work with Blowfish, too, and anything else
>> people come up with in the future.
>
> The Blowfish one already has that feature.
>
> A long time ago (like FreeBSD 6.something, maybe earlier) I changed all my 
> /etc/login.conf files to set "passwd_format=blf" and all my password hashes 
> are in the format "$2a$04$salthash" -- with the "04" being the (default) 
> number of rounds of Blowfish to run.  I have some users where it's set to 11 
> rounds, and as you'd expect, it puts a pretty big hurt on the ability of 
> things like John The Ripper to attack the hashes.

Actaully that's not the number of rounds, it's the log2() of the number of 
rounds.  So 04 is really 2^4=16 rounds (the minimum), 11 is 2^11=2048 
rounds, and the maximum is 31 -- which as the source code states, oughta 
scale pretty well for a while.  :)

See /usr/src/secure/lib/libcrypt/crypt-blowfish.c

There is probably a login.conf knob to raise the default number of rounds 
beyond 2^4.

But the point remains: look at what FreeBSD already has.  :)