Fwd: crypt_blowfish 0.4.6

Rogelio Serrano rogelio at smsglobal.net
Tue Apr 27 03:55:34 PDT 2004

On 2004-04-27 18:43:35 +0800 Robert Connolly 
<robert at linuxfromscratch.org> wrote:

> On April 26, 2004 07:26 am, Archaic wrote:
>> ----- Forwarded message from Solar Designer 
>> <solar at openwall.com> -----
>> A new version of the password hashing package, crypt_blowfish 
>> 0.4.6,
>> has been released.
> I can install libxcrypt and crypt_blowfish fine. My problem is 
> getting shadow 
> and/or pam to use it.

i think its not necessary to use shadow or pam with crypt 
blowfish. it was designed to be public readable because its 
security depends on a dictionary attack being too slow. with 55 
byte passwords i think thats secure enough. im using it now on 
a uclibc system and i used a very high round value of 12. it 
takes about 1.5 seconds to compute the hash value when i login 
in a athlon 1900+ system. openbsd uses 6 rounds i think and 
their /etc/passwd is world readable. im actually using the srp 
verifier instead of the hash in my world readable /etc/passwd. 
this way srp logins are supported directly and local logins 
compute the verifier directly from the password. im not using 
ssh at all.

More information about the hlfs-dev mailing list