freebsd security - Jun 2012 - blf uses only 2^4 round for passwd encoding?! [Re: Default password hash]

http://svnweb.freebsd.org/base/head/secure/lib/libcrypt/crypt-blowfish.c?revision=231986&view=markup

145          static const char     *magic = "$2a$04$";
  146
  147                  /* Defaults */
  148          minr = 'a';
  149          logr = 4;
  150          rounds = 1 << logr;
  151
  152          /* If it starts with the magic string, then skip that */
  153          if(!strncmp(salt, magic, strlen(magic))) {
  154                  salt += strlen(magic);
  155          }

grep 04 /etc/master.passwd:
root:$2a$04$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:0:0::0:0:XXX:/root:/bin/csh
xxxx:$2a$04$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:100X:100X::0:0:XXXXXXXXXXXXX:/home/xxxx:/bin/tcsh

16 rounds in 2012? It is not to weak?!

On 6/8/12, Dag-Erling Sm?rgrav <des@des.no> wrote:
> We still have MD5 as our default password hash, even though known-hash
> attacks against MD5 are relatively easy these days.  We've supported
> SHA256 and SHA512 for many years now, so how about making SHA512 the
> default instead of MD5, like on most Linux distributions?
>
> Index: etc/login.conf
> ==================================================================> ---
etc/login.conf      (revision 236616)
> +++ etc/login.conf      (working copy)
> @@ -23,7 +23,7 @@
>  # AND SEMANTICS'' section of getcap(3) for more escape sequences).
>
>  default:\
> -       :passwd_format=md5:\
> +       :passwd_format=sha512:\
>         :copyright=/etc/COPYRIGHT:\
>         :welcome=/etc/motd:\
>         :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
>
> DES
> --
> Dag-Erling Sm?rgrav - des@des.no
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
>

On Mon, 11 Jun 2012 00:37:30 +0200
Oliver Pinter wrote:

> 16 rounds in 2012? It is not to weak?!
It's hard to say. Remember that blowfish was designed as a cipher not
a hash. It's designed to be fast, but to still resist known plaintext
attacks at the beginning of the ciphertext. It was also designed to
work directly with a passphrase because there was a history of
programmers abusing DES by using simple ascii passwords as keys. 

For these reasons initialization is deliberately expensive,
effectively it already contains an element of passphrase hashing.

Oliver Pinter <oliver.pntr@gmail.com> writes:
> 16 rounds in 2012? It is not to weak?!
Perhaps.  I don't see how that affects sha512.

DES
-- 
Dag-Erling Sm?rgrav - des@des.no