One thing to consider -- given the nature of the recent attack on LinkedIn --
is to provide a setting that allows one to increase the size of the "salt."
The main danger, when a file of hashed passwords is stolen (as was the case
with LinkedIn), is that an attacker can use a pre-computed dictionary to
break accounts with weak or commonly used passwords. The larger the "salt,"
the more impractical it becomes to prepare or store such a dictionary.
This can matter more than the strength or computational burden of the
hashing algorithm.
--Brett Glass
At 06:51 AM 6/8/2012, Dag-Erling Smørgrav wrote:
We still have MD5 as our default password hash, even though known-hash
attacks against MD5 are relatively easy these days. We've supported
SHA256 and SHA512 for many years now, so how about making SHA512 the
default instead of MD5, like on most Linux distributions?
Index: etc/login.conf
===================================================================
--- etc/login.conf (revision 236616)
+++ etc/login.conf (working copy)
@@ -23,7 +23,7 @@
# AND SEMANTICS'' section of getcap(3) for more escape sequences).
default:\
- :passwd_format=md5:\
+ :passwd_format=sha512:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
DES
--
Dag-Erling Smørgrav - d...@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1424 / Virus Database: 2433/5055 - Release Date: 06/07/12
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
