[nycbug-talk] blowfish FreeBSD passwords
Ray Lai
nycbug at cyth.net
Wed Mar 22 16:52:24 EST 2006
On Wed, Mar 22, 2006 at 04:42:51PM -0500, Isaac Levy wrote:
> Hey All,
>
> QUESTION:
> --
> Just on my mind today- has anyone seen any talk of blowfish password
> hashes being set as default in FreeBSD? It's standard on OpenBSD
> right, but I'm annoyed today as I setup a bunch of new boxes and have
> to manage one more thing...
>
>
> HOW:
> --
> For the record, for people on list who don't know how to do this,
> here's a simple comprehensive how-to, to make blowfish default for
> password hashes instead of md5:
>
> http://filter.rackeasy.com/articles/2005/11/30/setup-freebsd-to-use-
> blowfish
>
> WHY:
> --
> Perhaps some of the crypto hardcores on list can expound on this
> issue, but here's my basic description of the issue- md5 hashes,
> aside from being cracked (collisions), are not salted. Blowfish, is
> salted. Therefore, it's significantly more difficult to brute-force
> passwords based on blowfish hashes.
>
> In essence, based on most threat models, if an untrusted user can
> read your /etc/master.passwd file, you have other problems to worry
> about- but this is a simple change that can mitigate small migrane
> headaches.
Paper: http://openbsd.rt.fm/papers/bcrypt-paper.ps
Slides: http://openbsd.rt.fm/papers/bcrypt-slides.ps
-Ray-
More information about the talk
mailing list