Robert Connolly wrote: > On Thursday October 9 2008 06:21:37 pm Bruce Dubbs wrote: > >> Should there be a mention of the possible use of SHA password encryption? >> > > Using MD5 or SHA can be kept simple by using all the default options for SHA, > and mentioning that there are more options in login.def. Many people probably > don't know SHA was added to Glibc. > When you mention the possibility for SHA, maybe it is a good idea to also the option to increase the number of SHA rounds.
From login.def: # Define the number of SHA rounds. # With a lot of rounds, it is more difficult to brute forcing the password. # But note also that it more CPU resources will be needed to authenticate # users. # # If not specified, the libc will choose the default number of rounds (5000). # The values must be inside the 1000-999999999 range. # If only one of the MIN or MAX values is set, then this value will be used. # If MIN > MAX, the highest value will be used. # # SHA_CRYPT_MIN_ROUNDS 5000 # SHA_CRYPT_MAX_ROUNDS 5000 I do not have any numbers on the CPU resources needed when (dramatically) increasing SHA rounds. DIY note for reference: http://www.diy-linux.org/pipermail/diy-linux-dev/2008-October/001309.html Olaf -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
