Re: PHK's MD5 might not be slow enough anymore

On 1/28/10 3:18 PM, Chris Palmer wrote:
For backwards compatibility, which do people prefer: Creating a new $N$
prefix every time we re-tune the algorithm, or using a new notation to say
how many times this password was hashed? For example: $1.1000$, $1.100000$,
et c.?

I prefer the latter. It can work with Blowfish, too, and anything else
people come up with in the future.

The Blowfish one already has that feature.

A long time ago (like FreeBSD 6.something, maybe earlier) I changed all my /etc/login.conf files to set "passwd_format=blf" and all my password hashes are in the format "$2a$04$salthash" -- with the "04" being the (default) number of rounds of Blowfish to run. I have some users where it's set to 11 rounds, and as you'd expect, it puts a pretty big hurt on the ability of things like John The Ripper to attack the hashes.

Just making sure we aren't suggesting reinventing a wheel here :)

Even 4 rounds of Blowfish is far slower than 1000 rounds of MD5, and 1000 rounds of MD5 is far slower than DES. And yeah, fear of MD5 collisions is totally irrelevant here.
If you're really that worried about MD5 anyway, just change "passwd_format=md5" to "passwd_format=blf" in your login.conf's default section and be happy :)
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages