Recent Features
| |||||||||||||
Enforcing password strengthEnforcing password strengthPosted Oct 14, 2011 15:24 UTC (Fri) by skvidal (subscriber, #3094)In reply to: Enforcing password strength by Cato Parent article: Enforcing password strength
Unless I've misread this:
http://stackoverflow.com/questions/6058019/storing-user-a...
it sure looks like anyone using normal crypt with $6$ is going to be key-stretched.
(Log in to post comments)
Enforcing password strength Posted Oct 14, 2011 17:03 UTC (Fri) by jonabbey (subscriber, #2736) [Link]
Yup, the $6$ password format is about the best thing going right now. The $2a$ bcrypt algorithm is good too, but not as widely supported on Linux.
Enforcing password strength Posted Oct 14, 2011 19:49 UTC (Fri) by Cato (subscriber, #7643) [Link]
That's true, but that depends on the version of glibc and whether the high level language such as Python makes it available, and of course the programmer must choose the $6$ format. PHP on some web hosts is still version 5.1 (still the standard version for RHEL 5.x), which means that phpass must use one of bcrypt, extended DES and MD5, depending on what's available.
It's best if everyone checks that the crypto library they are using makes use of key stretching - defending against FPGA attacks is particularly hard as they can be built to be very much faster than CPUs for only a few thousand USD.
|
|||||||||||||