Re: Default password hash

On Sat, 09 Jun 2012 07:34:22 -0400
Mike Tancsa wrote:

> On 6/8/2012 8:51 AM, Dag-Erling Sm=F8rgrav wrote:
> > We still have MD5 as our default password hash, even though
> > known-hash attacks against MD5 are relatively easy these days.
> > We've supported SHA256 and SHA512 for many years now, so how about
> > making SHA512 the default instead of MD5, like on most Linux
> > distributions?
>=20
> Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ?  Its
> currently not there.
>=20
> RELENG_7 is supported until 2013
>=20
> Sort of a security issue=20

Lets not forget that this is an attack against insecure passwords
performed after an attacker has already gained root or physical access.

> considering this assessment of MD5
>=20
> http://phk.freebsd.dk/sagas/md5crypt_eol.html

In the context of that all the existing algorithms are pretty insecure.
The people that are doing this are brute forcing passwords; the
cryptographic merits of the underlying hash are immaterial, except in
as far as they slow things down.=20

I would estimate that md5crypt vs sha512crypt is roughly:

2.5 * (5000rounds/1000rounds) *  (512bits/128bits) =3D 50

to put that in context, going from simple md5 to md5crypt is factor of
~1024.

50 is equivalent to less than 6bits of password entropy. In some cases
it may make little difference to the percentage of passwords cracked.

=20

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"