Mark Felder wrote this message on Wed, May 23, 2018 at 16:40 -0500:
> Around 2012[1] we made the brave switch from md5crypt to sha512. Some people
> were asking for bcrypt to be default, and others were hoping we would see
> pbkdf2 support. We went with compatible. Additionally, making password
> hashing more
>
> In light of this new article[2] I would like to rehash (pun intended) this
> conversation and also mention a bug report[3] we've been sitting on in some
> form for 12 years[4] with usable code that would make working with password
> hashing algorithms easier and the rounds configurable by the admin.
I'd like to see it set where we set a time, say 50ms or so, and on each
boot, we set the rounds based upon this. (obviously configurable), w/ a
minimum maybe for slower systems... This allows us to autoscale to faster
cpu systems...
I believe that there are patches/review for making the default password
hash algorithm configurable via login.conf or something similar.. so some
of the work has already been done..
> I'd also like to see us to pull in scrypt if cperciva doesn't have any
> objections. It's good to have options.
Yes, pulling in scrypt and/or argon2 is a great idea...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
