Re: Default password hash

From: O. Hartmann <ohartman_at_zedat.fu-berlin.de>
Date: Sat, 09 Jun 2012 09:43:03 +0200
On 06/08/12 14:51, Dag-Erling Smørgrav wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days.  We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like on most Linux distributions?
> 
> Index: etc/login.conf
> ===================================================================
> --- etc/login.conf      (revision 236616)
> +++ etc/login.conf      (working copy)
> _at__at_ -23,7 +23,7 _at__at_
>  # AND SEMANTICS'' section of getcap(3) for more escape sequences).
> 
>  default:\
> -       :passwd_format=md5:\
> +       :passwd_format=sha512:\
>         :copyright=/etc/COPYRIGHT:\
>         :welcome=/etc/motd:\
>         :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
> 
> DES

You should also file a PR for change-requets, so it is not only in the
email list. I second a change, since I use "blf" since 2009 without
(obvious) problems.

The manpage for login.conf also needs an update. I checked this morning
and found that thye manpage doesn't even mention hashes apart from des,
md5 and blf.

Oliver


Received on Sat Jun 09 2012 - 05:43:12 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:27 UTC