On Thu, Jan 28, 2010 at 10:24:13AM -0800, Chris Palmer wrote: > See your copy of /usr/src/lib/libcrypt/crypt-md5.c: [...] > This algorithm is still the default on FreeBSD 8. (Blowfish is available -- > but has it been tuned for slowness either? I have not checked.) The purpose > of these functions is to be slow, but the above has not been slow for years. > Hence this patch: [...]
This is wrong approach. It should be done using PKCS#5v2 just like geli(8) does it. It even calculates number of iterations so the operation completes in reasonable amount of time on your machine (eg. 1 second). It also uses HMAC/SHA512. On some recent CPUs (amd64) it should be possible for 2^20 iterations to complete in reasonable amount of time. Even strong passwords have no more than five bits of entropy per character (probably much less if it is something possible to remember), so to brute-force one character you need 2^5 interations, which means that strong eight characters password needs 2^40 iterations for full brute-force. Adding 2^20 iterations of PKCS#5v2 makes it 2^60, which is not bad. Of course if we assume that 2^20 of PKCS#5v2 takes one second, then it will take ~34865 years to fully brute-force it on one machine. Although you can safely assume that if you really have something to hide, an attacker will be able to use 100.000 nodes botnet, which leaves you with only ~127 days to change your password:) Remember that this is login password we are talking about, not password used for encryption, so all you want to protect it against is theft of /etc/master.passwd. <advert> All in all static passwords are for the weak that's why we (Wheel Systems) believe in easy to use one-time passwords:) </advert> -- Pawel Jakub Dawidek http://www.wheel.pl p...@freebsd.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am!
pgpHT9VPSN5Gt.pgp
Description: PGP signature
