[nycbug-talk] blowfish FreeBSD passwords

Ray Lai nycbug at cyth.net
Wed Mar 22 16:52:24 EST 2006

On Wed, Mar 22, 2006 at 04:42:51PM -0500, Isaac Levy wrote:
> Hey All,
> --
> Just on my mind today- has anyone seen any talk of blowfish password  
> hashes being set as default in FreeBSD?  It's standard on OpenBSD  
> right, but I'm annoyed today as I setup a bunch of new boxes and have  
> to manage one more thing...
> HOW:
> --
> For the record, for people on list who don't know how to do this,  
> here's a simple comprehensive how-to, to make blowfish default for  
> password hashes instead of md5:
> http://filter.rackeasy.com/articles/2005/11/30/setup-freebsd-to-use- 
> blowfish
> WHY:
> --
> Perhaps some of the crypto hardcores on list can expound on this  
> issue, but here's my basic description of the issue- md5 hashes,  
> aside from being cracked (collisions), are not salted.  Blowfish, is  
> salted.  Therefore, it's significantly more difficult to brute-force  
> passwords based on blowfish hashes.
> In essence, based on most threat models, if an untrusted user can  
> read your /etc/master.passwd file, you have other problems to worry  
> about- but this is a simple change that can mitigate small migrane  
> headaches.

Paper: http://openbsd.rt.fm/papers/bcrypt-paper.ps
Slides: http://openbsd.rt.fm/papers/bcrypt-slides.ps


More information about the talk mailing list