I recommend adding support for Argon2. https://en.wikipedia.org/wiki/Argon2
On Wed, May 23, 2018, 5:42 PM Mark Felder, <f...@freebsd.org> wrote: > Around 2012[1] we made the brave switch from md5crypt to sha512. Some > people were asking for bcrypt to be default, and others were hoping we > would see pbkdf2 support. We went with compatible. Additionally, making > password hashing more > > In light of this new article[2] I would like to rehash (pun intended) this > conversation and also mention a bug report[3] we've been sitting on in some > form for 12 years[4] with usable code that would make working with password > hashing algorithms easier and the rounds configurable by the admin. > > I'd also like to see us to pull in scrypt if cperciva doesn't have any > objections. It's good to have options. > > PS: Why does "compatibility" matter for a default algorithm? Having a > default different than Linux or Solaris isn't a bad thing as long as we > implement the industry's common hashes which would permit any management > tools twiddling the master.passwd manually to still be able to insert the > password hashes in a common format... > > [1] > https://lists.freebsd.org/pipermail/freebsd-security/2012-June/006271.html > [2] > https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/ > [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182518 > [4] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=75934 is the > original report about the issue > > -- > Mark Felder > ports-secteam & portmgr member > f...@freebsd.org > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org > " > _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
