Default password hash, redux

John-Mark Gurney jmg at funkthat.com
Sat Jun 2 18:20:44 UTC 2018 

> 
> I believe that there are patches/review for making the default password
> hash algorithm configurable via login.conf or something similar.. so some
> of the work has already been done..
> 
> > I'd also like to see us to pull in scrypt if cperciva doesn't have any objections. It's good to have options.
> 
> Yes, pulling in scrypt and/or argon2 is a great idea...
> 
> -- 
>   John-Mark Gurney				Voice: +1 415 225 5579
> 
>      "All that I will do, has been done, All that I have, has not."
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

Dag-Erling Smrgrav wrote this message on Thu, May 31, 2018 at 00:38 +0200:
> John-Mark Gurney <jmg at funkthat.com> writes:
> > I believe that there are patches/review for making the default password
> > hash algorithm configurable via login.conf or something similar...
> 
> You mean like r64918?

No, I don't.

Sorry, I wasn't specific enough in my comment, but you also dropped the
context of that statment:

John-Mark Gurney wrote this message on Sun, May 27, 2018 at 16:14 -0700:
> Mark Felder wrote this message on Wed, May 23, 2018 at 16:40 -0500:
> > In light of this new article[2] I would like to rehash (pun intended) this conversation and also mention a bug report[3] we've been sitting on in some form for 12 years[4] with usable code that would make working with password hashing algorithms easier and the rounds configurable by the admin.
> 
> I'd like to see it set where we set a time, say 50ms or so, and on each
> boot, we set the rounds based upon this.  (obviously configurable), w/ a
> minimum maybe for slower systems...  This allows us to autoscale to faster
> cpu systems...

r64918 does not allow you to set default number of rounds...  there is
a patch in bugzilla or phabricator that allows you to set this..

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

More information about the freebsd-security mailing list