Fwd: crypt_blowfish 0.4.6
rogelio at smsglobal.net
Tue Apr 27 03:55:34 PDT 2004
On 2004-04-27 18:43:35 +0800 Robert Connolly
<robert at linuxfromscratch.org> wrote:
> On April 26, 2004 07:26 am, Archaic wrote:
>> ----- Forwarded message from Solar Designer
>> <solar at openwall.com> -----
>> A new version of the password hashing package, crypt_blowfish
>> has been released.
> I can install libxcrypt and crypt_blowfish fine. My problem is
> getting shadow
> and/or pam to use it.
i think its not necessary to use shadow or pam with crypt
blowfish. it was designed to be public readable because its
security depends on a dictionary attack being too slow. with 55
byte passwords i think thats secure enough. im using it now on
a uclibc system and i used a very high round value of 12. it
takes about 1.5 seconds to compute the hash value when i login
in a athlon 1900+ system. openbsd uses 6 rounds i think and
their /etc/passwd is world readable. im actually using the srp
verifier instead of the hash in my world readable /etc/passwd.
this way srp logins are supported directly and local logins
compute the verifier directly from the password. im not using
ssh at all.
More information about the hlfs-dev