>
> I believe that there are patches/review for making the default password
> hash algorithm configurable via login.conf or something similar.. so some
> of the work has already been done..
>
> > I'd also like to see us to pull in scrypt if cperciva doesn't have any
> > objections. It's good to
John-Mark Gurney writes:
> I believe that there are patches/review for making the default password
> hash algorithm configurable via login.conf or something similar...
You mean like r64918?
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security
Mark Felder wrote this message on Wed, May 23, 2018 at 16:40 -0500:
> Around 2012[1] we made the brave switch from md5crypt to sha512. Some people
> were asking for bcrypt to be default, and others were hoping we would see
> pbkdf2 support. We went with compatible. Additionally, making password
On 18-05-23 05:40 PM, Mark Felder wrote:
In light of this new article[2] I would like to rehash (pun intended) this
conversation and also mention a bug report[3] we've been sitting on in some
form for 12 years[4] with usable code that would make working with password
hashing algorithms easier
On Wed, May 23, 2018 at 05:50:04PM -0400, Yonas Yanfa wrote:
> I recommend adding support for Argon2.
>
> https://en.wikipedia.org/wiki/Argon2
Yes, Argon2 seems like a no-brainer at this point.
-Ben
___
freebsd-security@freebsd.org mailing list
https:/
On Wed, May 23, 2018, at 16:40, Mark Felder wrote:
> Additionally, making password hashing more
>
Mailman came to the door and my barking dog interrupted my train of thought :-)
I believe what I was going for was in reference to the bugzilla report, so I'll
try again:
Additionally, making pa
I recommend adding support for Argon2.
https://en.wikipedia.org/wiki/Argon2
On Wed, May 23, 2018, 5:42 PM Mark Felder, wrote:
> Around 2012[1] we made the brave switch from md5crypt to sha512. Some
> people were asking for bcrypt to be default, and others were hoping we
> would see pbkdf2 suppo
The attached patch backports support for sha256 and sha512 hashes to
stable/7. It is not an exact MFH because the sha code in head uses
stpncpy(), which is not present in stable/7's libc.
DES
--
Dag-Erling Smørgrav - d...@des.no
Index: lib/libcrypt
==
The attached patch backports support for sha256 and sha512 hashes to
stable/7. It is not an exact MFH because the sha code in head uses
stpncpy(), which is not present in stable/7's libc.
DES
--
Dag-Erling Smørgrav - d...@des.no
Index: lib/libcrypt
==
On 6/10/12 8:03 PM, Oliver Pinter wrote:
On 6/11/12, RW wrote:
On Mon, 11 Jun 2012 00:37:30 +0200
Oliver Pinter wrote:
16 rounds in 2012? It is not to weak?!
It's hard to say. Remember that blowfish was designed as a cipher not
a hash. It's designed to be fast, but to still resist known plai
On (11/06/2012 12:43), Simon L. B. Nielsen wrote:
> On Sun, Jun 10, 2012 at 3:53 PM, Gleb Kurtsou wrote:
[...]
> > Do you mean pkcs5v2_calculate from geli? It seems to have a drawback
>
> Correct.
>
> > that results produced depend on actual CPU load.
>
> That's not the drawback, but the whole
On Mon, 11 Jun 2012 14:44:02 +0400
Lev Serebryakov wrote:
> Hello, Simon.
> You wrote 10 июня 2012 г., 14:02:50:
>
> SLBN> Has anyone looked at how long the SHA512 password hashing
> SLBN> actually takes on modern computers?
> Modern computers are not what should you afraid. Modern GPUs are.
Gleb Kurtsou writes:
> In other words, currently there is no benefit in switch default
> algorithm to relatively new crypt_sha512 vs 256-iterations
> crypt_blowfish supported on RELENG_7.
>From a cryptographic point of view, perhaps, but they are both better
than the current default (md5), and al
On (11/06/2012 12:51), Simon L. B. Nielsen wrote:
> On Mon, Jun 11, 2012 at 11:44 AM, Lev Serebryakov wrote:
> > Hello, Simon.
> > You wrote 10 июня 2012 г., 14:02:50:
> >
> > SLBN> Has anyone looked at how long the SHA512 password hashing
> > SLBN> actually takes on modern computers?
> > Modern
Robert Simmons writes:
> Mike Tancsa writes:
> > change the users passwd to something new, or just use the old
> > passwd, but re-enter it
> Bad idea. Never reuse an old password.
What's an even worse idea is to learn such things by rote and spew them
back out without ever reflecting on what th
Dag-Erling Smørgrav writes:
> There's a world of difference between switching the default to an
> algorithm we already support and which is widely used by other operating
> systems, and switching to a completely knew and untested algorithm.
ouch. s/knew/new/.
DES
--
Dag-Erling Smørgrav - d...@
"O. Hartmann" writes:
> You should also file a PR for change-requets, so it is not only in the
> email list.
I have no idea what you mean by that...
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing list
http://lists.fr
Mike Tancsa writes:
> Locally, we still have a need to share some passwd files between a
> couple of RELENG_8 and RELENG_7 boxes. But it might be better to just
> upgrade the new boxes to 8 if need be. If not, is Blowfish as its
> currently implemented on RELENG_7 considered strong enough ? Ther
On 6/11/2012 10:00 AM, Dag-Erling Smørgrav wrote:
> Mike Tancsa writes:
>> Dag-Erling Smørgrav writes:
>>> Mike Tancsa writes:
Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its
currently not there.
>>> "not there" as in "not supported by crypt(3)"?
>> If you put in sha2
Mike Tancsa writes:
> Dag-Erling Smørgrav writes:
> > Mike Tancsa writes:
> > > Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its
> > > currently not there.
> > "not there" as in "not supported by crypt(3)"?
> If you put in sha256|sha512 in passwd_format, the passwd that gets
> c
On Mon, Jun 11, 2012 at 11:44 AM, Lev Serebryakov wrote:
> Hello, Simon.
> You wrote 10 июня 2012 г., 14:02:50:
>
> SLBN> Has anyone looked at how long the SHA512 password hashing
> SLBN> actually takes on modern computers?
> Modern computers are not what should you afraid. Modern GPUs are.
>
On Sun, Jun 10, 2012 at 3:53 PM, Gleb Kurtsou wrote:
> On (10/06/2012 11:02), Simon L. B. Nielsen wrote:
>>
>> On 8 Jun 2012, at 13:51, Dag-Erling Smørgrav wrote:
>>
>> > We still have MD5 as our default password hash, even though known-hash
>> > attacks against MD5 are relatively easy these days.
On Mon, Jun 11, 2012 at 10:51:45AM +0200, Dag-Erling Smørgrav wrote:
> Damian Weber writes:
> > *collision* attacks are relatively easy these days, but against 1 MD5,
> > not against 1000 times MD5
>
> I'm not talking about collision attacks, I'm talking about brute-forcing
> hashes.
>
> > ther
On 6/11/2012 4:48 AM, Dag-Erling Smørgrav wrote:
> Mike Tancsa writes:
>> Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its
>> currently not there.
>
> "not there" as in "not supported by crypt(3)"?
If you put in sha256|sha512 in passwd_format, the passwd that gets
chosen is DES,
Hello, Simon.
You wrote 10 июня 2012 г., 14:02:50:
SLBN> Has anyone looked at how long the SHA512 password hashing
SLBN> actually takes on modern computers?
Modern computers are not what should you afraid. Modern GPUs are.
And they are incredibly fast in calculation of MD5, SHA-1 and SHA-2.
Lars Engels writes:
> BTW Solaris 10 and 11 support our Blowfish algorithm, Solaris 10 >= 10/08
> supports SHA256 and SHA512 and SHA256 was mad the default algorithm in
> Solaris 11.
> Some Linux variants support Blowfish and from glibc 2.7 on they have
> support for SHA256 and SHA512.
>
> So the
Oliver Pinter writes:
> 16 rounds in 2012? It is not to weak?!
Perhaps. I don't see how that affects sha512.
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
Damian Weber writes:
> *collision* attacks are relatively easy these days, but against 1 MD5,
> not against 1000 times MD5
I'm not talking about collision attacks, I'm talking about brute-forcing
hashes.
> there is a NIST hash competition running, the winner will soon be announced
> (and it won
Mike Tancsa writes:
> Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its
> currently not there.
"not there" as in "not supported by crypt(3)"?
> http://phk.freebsd.dk/sagas/md5crypt_eol.html
That blog entry is (partly) why I suggested this change. I think phk is
being overly pes
On 2012-06-10 19:24, RW wrote:
On Mon, 11 Jun 2012 00:37:30 +0200
Oliver Pinter wrote:
16 rounds in 2012? It is not to weak?!
It's hard to say. Remember that blowfish was designed as a cipher not
a hash. It's designed to be fast, but to still resist known plaintext
attacks at the beginning o
On 6/11/12, RW wrote:
> On Mon, 11 Jun 2012 00:37:30 +0200
> Oliver Pinter wrote:
>
>
>> 16 rounds in 2012? It is not to weak?!
>
> It's hard to say. Remember that blowfish was designed as a cipher not
> a hash. It's designed to be fast, but to still resist known plaintext
> attacks at the beginni
On Mon, 11 Jun 2012 00:37:30 +0200
Oliver Pinter wrote:
> 16 rounds in 2012? It is not to weak?!
It's hard to say. Remember that blowfish was designed as a cipher not
a hash. It's designed to be fast, but to still resist known plaintext
attacks at the beginning of the ciphertext. It was also des
http://svnweb.freebsd.org/base/head/secure/lib/libcrypt/crypt-blowfish.c?revision=231986&view=markup
145 static const char *magic = "$2a$04$";
146
147 /* Defaults */
148 minr = 'a';
149 logr = 4;
150 rounds = 1 << logr;
151
152
On 6/8/12, Dag-Erling Smørgrav wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days. We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like on most Linux
On 06/10/2012 06:02 AM, Simon L. B. Nielsen wrote:
Has anyone looked at how long the SHA512 password hashing actually
takes on modern computers? The "real" solution for people who care
significantly about this seems something like the algorithm pjd
implemented (I think he did it at least) for G
> On 8 Jun 2012, at 13:51, Dag-Erling Smørgrav wrote:
>
> > We still have MD5 as our default password hash, even though known-hash
> > attacks against MD5 are relatively easy these days.
*collision* attacks are relatively easy these days, but against 1 MD5,
not against 1000 times MD5
w.r.t.
On (10/06/2012 11:02), Simon L. B. Nielsen wrote:
>
> On 8 Jun 2012, at 13:51, Dag-Erling Smørgrav wrote:
>
> > We still have MD5 as our default password hash, even though known-hash
> > attacks against MD5 are relatively easy these days. We've supported
> > SHA256 and SHA512 for many years now,
On 8 Jun 2012, at 13:51, Dag-Erling Smørgrav wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days. We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 06/09/12 04:34, Mike Tancsa wrote:
> On 6/8/2012 8:51 AM, Dag-Erling Smørgrav wrote:
>> We still have MD5 as our default password hash, even though
>> known-hash attacks against MD5 are relatively easy these days.
>> We've supported SHA256 and SHA
On 9 June 2012 13:16, Robert Simmons wrote:
> On Sat, Jun 9, 2012 at 9:34 AM, Mike Tancsa wrote:
>> On 6/9/2012 9:19 AM, someone wrote:
>>> hi,
>>>
>>> what is needed to change from md5 to sha512 ? As all old passwd are md5, I
>>> imagine there is a
>>> sequence of steps not to lock me out of th
On Sat, Jun 9, 2012 at 9:34 AM, Mike Tancsa wrote:
> On 6/9/2012 9:19 AM, someone wrote:
>> hi,
>>
>> what is needed to change from md5 to sha512 ? As all old passwd are md5, I
>> imagine there is a
>> sequence of steps not to lock me out of the box. is there any place that
>> documents this ?
>
On Sat, 09 Jun 2012 07:34:22 -0400
Mike Tancsa wrote:
> On 6/8/2012 8:51 AM, Dag-Erling Smørgrav wrote:
> > We still have MD5 as our default password hash, even though
> > known-hash attacks against MD5 are relatively easy these days.
> > We've supported SHA256 and SHA512 for many years now, so ho
On Sat, Jun 09, 2012 at 12:04:25AM -0400, emu wrote:
> On 2012-06-09 00:01, Robert Simmons wrote:
> > On Fri, Jun 8, 2012 at 9:06 AM, Maxim Khitrov
> > wrote:
> >> On Fri, Jun 8, 2012 at 8:51 AM, Dag-Erling Smørgrav
> >> wrote:
> >>> We still have MD5 as our default password hash, even though
On 6/9/2012 6:34 AM, Mike Tancsa wrote:
> Sort of a security issue considering this assessment of MD5
You can use blf (blowfish) as well.
Regards,
Bryan Drewery
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/fre
On Sat, June 9, 2012 10:34, Mike Tancsa wrote:
> On 6/9/2012 9:19 AM, someone wrote:
>> hi,
>>
>> what is needed to change from md5 to sha512 ? As all old passwd are md5, I
>> imagine there is a
>> sequence of steps not to lock me out of the box. is there any place that
>> documents this ?
>
> Y
On 6/9/2012 9:19 AM, someone wrote:
> hi,
>
> what is needed to change from md5 to sha512 ? As all old passwd are md5, I
> imagine there is a
> sequence of steps not to lock me out of the box. is there any place that
> documents this ?
You need a relatively recent RELENG_8, not sure the exact d
On 6/8/2012 8:51 AM, Dag-Erling Smørgrav wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days. We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like on mo
On 2012-06-09 09:43, O. Hartmann wrote:
> On 06/08/12 14:51, Dag-Erling Smørgrav wrote:
>> We still have MD5 as our default password hash, even though known-hash
>> attacks against MD5 are relatively easy these days. We've supported
>> SHA256 and SHA512 for many years now, so how about making SHA5
On 2012-06-09 00:01, Robert Simmons wrote:
On Fri, Jun 8, 2012 at 9:06 AM, Maxim Khitrov
wrote:
On Fri, Jun 8, 2012 at 8:51 AM, Dag-Erling Smørgrav
wrote:
We still have MD5 as our default password hash, even though
known-hash
attacks against MD5 are relatively easy these days. We've
support
On 06/09/12 11:28, Dimitry Andric wrote:
> On 2012-06-09 09:43, O. Hartmann wrote:
>> On 06/08/12 14:51, Dag-Erling Smørgrav wrote:
>>> We still have MD5 as our default password hash, even though known-hash
>>> attacks against MD5 are relatively easy these days. We've supported
>>> SHA256 and SHA5
On 06/08/12 14:51, Dag-Erling Smørgrav wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days. We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like on most
On Fri, Jun 8, 2012 at 9:06 AM, Maxim Khitrov wrote:
> On Fri, Jun 8, 2012 at 8:51 AM, Dag-Erling Smørgrav wrote:
>> We still have MD5 as our default password hash, even though known-hash
>> attacks against MD5 are relatively easy these days. We've supported
>> SHA256 and SHA512 for many years n
One thing to consider -- given the nature of the recent attack on LinkedIn --
is to provide a setting that allows one to increase the size of the "salt."
The main danger, when a file of hashed passwords is stolen (as was the case
with LinkedIn), is that an attacker can use a pre-computed dictionar
In message <20120608172857.ge2...@stack.nl>, Ruud Althuizen writes:
>Complication isn't your friend when considering cryptography.
Sorry, it's a one way relationship, and its the other way around:
If it is cryptography, it is complicated.
But it can be complicated without being cryptography.
-
On Fri 08 Jun 2012 05:47 PM, RW wrote:
> On Fri, 08 Jun 2012 14:51:55 +0200
> Dag-Erling Smørgrav wrote:
>
> > We still have MD5 as our default password hash, even though known-hash
> > attacks against MD5 are relatively easy these days.
>
> Are any of those attacks relevant to salted passwords
On Fri, 08 Jun 2012 14:51:55 +0200
Dag-Erling Smørgrav wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days.
Are any of those attacks relevant to salted passwords even with a
single MD5 hash, let alone FreeBSD's com
On Fri, Jun 08, 2012 at 02:51:55PM +0200, Dag-Erling Smørgrav wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days. We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default inste
On Fri, 08 Jun 2012 07:51:55 -0500, Dag-Erling Smørgrav wrote:
We still have MD5 as our default password hash, even though known-hash
attacks against MD5 are relatively easy these days. We've supported
SHA256 and SHA512 for many years now, so how about making SHA512 the
default instead of MD5,
On 06/08/12 15:06, Maxim Khitrov wrote:
> On Fri, Jun 8, 2012 at 8:51 AM, Dag-Erling Smørgrav wrote:
>> We still have MD5 as our default password hash, even though known-hash
>> attacks against MD5 are relatively easy these days. We've supported
>> SHA256 and SHA512 for many years now, so how abo
On Fri, Jun 8, 2012 at 8:51 AM, Dag-Erling Smørgrav wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days. We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5
60 matches
Mail list logo
