Default password hash
Mark Felder
feld at feld.me
Fri Jun 8 15:04:21 UTC 2012
On Fri, 08 Jun 2012 07:51:55 -0500, Dag-Erling Smørgrav <des at des.no> wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days. We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like on most Linux distributions?
>
> Index: etc/login.conf
> ===================================================================
> --- etc/login.conf (revision 236616)
> +++ etc/login.conf (working copy)
> @@ -23,7 +23,7 @@
> # AND SEMANTICS'' section of getcap(3) for more escape sequences).
>
> default:\
> - :passwd_format=md5:\
> + :passwd_format=sha512:\
> :copyright=/etc/COPYRIGHT:\
> :welcome=/etc/motd:\
> :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
>
> DES
I strongly support this -- using either SHA-2 or Blowfish would be a great
step forward. You'll also want to change the defuault for auth.conf so
adduser picks it up.
#
# $FreeBSD: releng/9.0/etc/auth.conf 118103 2003-07-28 02:28:51Z rwatson $
#
# Configure some authentication-related defaults. This file is being
# gradually subsumed by user class and PAM configuration.
#
# crypt_default = md5 des
More information about the freebsd-security
mailing list