We still have MD5 as our default password hash, even though known-hash
attacks against MD5 are relatively easy these days. We've supported
SHA256 and SHA512 for many years now, so how about making SHA512 the
default instead of MD5, like on most Linux distributions?
Index: etc/login.conf
==================================================================---
etc/login.conf (revision 236616)
+++ etc/login.conf (working copy)
@@ -23,7 +23,7 @@
# AND SEMANTICS'' section of getcap(3) for more escape sequences).
default:\
- :passwd_format=md5:\
+ :passwd_format=sha512:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
DES
--
Dag-Erling Sm?rgrav - des@des.no
On Fri, Jun 8, 2012 at 8:51 AM, Dag-Erling Sm?rgrav <des@des.no> wrote:> We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. ?We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions?If SHA-2 hashes have been supported for many years, why haven't the man pages been updated? login.conf(5) on 9.0-RELEASE still only lists "des", "md5", and "blf". I've been using the latter on my systems. - Max
On Fri, 08 Jun 2012 07:51:55 -0500, Dag-Erling Sm?rgrav <des@des.no> wrote:> We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions? > > Index: etc/login.conf > ==================================================================> --- etc/login.conf (revision 236616) > +++ etc/login.conf (working copy) > @@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ > - :passwd_format=md5:\ > + :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ > > DESI strongly support this -- using either SHA-2 or Blowfish would be a great step forward. You'll also want to change the defuault for auth.conf so adduser picks it up. # # $FreeBSD: releng/9.0/etc/auth.conf 118103 2003-07-28 02:28:51Z rwatson $ # # Configure some authentication-related defaults. This file is being # gradually subsumed by user class and PAM configuration. # # crypt_default = md5 des
On Fri, Jun 08, 2012 at 02:51:55PM +0200, Dag-Erling Sm?rgrav wrote:> We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions? > > Index: etc/login.conf > ==================================================================> --- etc/login.conf (revision 236616) > +++ etc/login.conf (working copy) > @@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ > - :passwd_format=md5:\ > + :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ >+1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120608/d06862b9/attachment.pgp
On Fri, 08 Jun 2012 14:51:55 +0200 Dag-Erling Sm?rgrav wrote:> We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days.Are any of those attacks relevant to salted passwords even with a single MD5 hash, let alone FreeBSD's complicated iterative algorithm? > We've supported SHA256 and SHA512 for many years now, so how about> making SHA512 the default instead of MD5, like on most Linux > distributions?I think the most important consideration is which is most resistant to brute force dictionary attack with GPUs. From a quick look at the code SHA512 looks to have 5000 rounds compared to MD5's 1000, but it's not so easy to compare with Blowfish.
One thing to consider -- given the nature of the recent attack on LinkedIn -- is to provide a setting that allows one to increase the size of the "salt." The main danger, when a file of hashed passwords is stolen (as was the case with LinkedIn), is that an attacker can use a pre-computed dictionary to break accounts with weak or commonly used passwords. The larger the "salt," the more impractical it becomes to prepare or store such a dictionary. This can matter more than the strength or computational burden of the hashing algorithm. --Brett Glass At 06:51 AM 6/8/2012, Dag-Erling Sm??rgrav wrote:>We still have MD5 as our default password hash, even though known-hash >attacks against MD5 are relatively easy these days. We've supported >SHA256 and SHA512 for many years now, so how about making SHA512 the >default instead of MD5, like on most Linux distributions? > >Index: etc/login.conf >==================================================================>--- etc/login.conf (revision 236616) >+++ etc/login.conf (working copy) >@@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ >- :passwd_format=md5:\ >+ :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ > >DES >-- >Dag-Erling Sm??rgrav - des@des.no >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > >----- >No virus found in this message. >Checked by AVG - www.avg.com >Version: 10.0.1424 / Virus Database: 2433/5055 - Release Date: 06/07/12
On 06/08/12 14:51, Dag-Erling Sm?rgrav wrote:> We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions? > > Index: etc/login.conf > ==================================================================> --- etc/login.conf (revision 236616) > +++ etc/login.conf (working copy) > @@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ > - :passwd_format=md5:\ > + :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ > > DESYou should also file a PR for change-requets, so it is not only in the email list. I second a change, since I use "blf" since 2009 without (obvious) problems. The manpage for login.conf also needs an update. I checked this morning and found that thye manpage doesn't even mention hashes apart from des, md5 and blf. Oliver -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120609/b5294028/signature.pgp
On 6/8/2012 8:51 AM, Dag-Erling Sm?rgrav wrote:> We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions?Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its currently not there. RELENG_7 is supported until 2013 Sort of a security issue considering this assessment of MD5 http://phk.freebsd.dk/sagas/md5crypt_eol.html ---Mike> > Index: etc/login.conf > ==================================================================> --- etc/login.conf (revision 236616) > +++ etc/login.conf (working copy) > @@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ > - :passwd_format=md5:\ > + :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ > > DES-- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
On 6/9/2012 9:19 AM, someone wrote:> hi, > > what is needed to change from md5 to sha512 ? As all old passwd are md5, I imagine there is a > sequence of steps not to lock me out of the box. is there any place that documents this ?You need a relatively recent RELENG_8, not sure the exact date. To change the pass format, edit the file login.conf cd /etc vi /etc/login.conf where it shows default:\ :passwd_format=md5:\ change it to default:\ :passwd_format=sha512:\ Regenerate the db file cap_mkdb login.conf The old passwd hash thats MD5 based will look something like 0(cage2)# grep testuser /etc/master.passwd testuser:$1$0lfvk63d$WPD8y7w6o2CAU8V4kTgqR1:1004:1004::0:0:User &:/home/testuser:/bin/sh 0(cage2)# note the $1$ change the users passwd to something new, or just use the old passwd, but re-enter it 1(cage2)# grep testuser /etc/master.passwd testuser:$1$0lfvk63d$WPD8y7w6o2CAU8V4kTgqR1:1004:1004::0:0:User &:/home/testuser:/bin/sh 0(cage2)# passwd testuser Changing local password for testuser New Password: Retype New Password: 0(cage2)# grep testuser /etc/master.passwd testuser:$6$AvBQXRlaKNv/YkM8$WhrcMomrs7mXgHAvFpETPT.T21jH9rYtsK8KKEFVOOYCm6noIHKI3JqQw67Vc/cYwTkGxnFY1zWrddiVUmk2p0:1004:1004::0:0:User &:/home/testuser:/bin/sh 0(cage2)# Note the $6$ in the hash, and its now super long. If your FreeBSD version does not support sha512, Blowfish might be a better alternative. Note sure, perhaps others here know how safe it is again, change the same file to default:\ :passwd_format=blf:\ and do a cap_mkdb login.conf 0(cage2)# passwd testuser Changing local password for testuser New Password: Retype New Password: 0(cage2)# grep testuser /etc/master.passwd testuser:$2a$04$veZKfUGwqsrxWZOb/wbes.RdgQhLL.kfqyQ8Cv044rjJdFI0nSVXy:1004:1004::0:0:User &:/home/testuser:/bin/sh 0(cage2)# Note the $2a$ Other place to do it is in auth.conf, but I usually do it in login.conf as shown above. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
On 6/9/2012 6:34 AM, Mike Tancsa wrote:> Sort of a security issue considering this assessment of MD5You can use blf (blowfish) as well. Regards, Bryan Drewery
On Sat, Jun 9, 2012 at 9:34 AM, Mike Tancsa <mike@sentex.net> wrote:> On 6/9/2012 9:19 AM, someone wrote: >> hi, >> >> what is needed to change from md5 to sha512 ? As all old passwd are md5, I imagine there is a >> sequence of steps not to lock me out of the box. is there any place that documents this ? > change the users passwd to something new, or just use the old passwd, > but re-enter itBad idea. Never reuse an old password.
On 9 June 2012 13:16, Robert Simmons <rsimmons0@gmail.com> wrote:> On Sat, Jun 9, 2012 at 9:34 AM, Mike Tancsa <mike@sentex.net> wrote: >> On 6/9/2012 9:19 AM, someone wrote: >>> hi, >>> >>> what is needed to change from md5 to sha512 ? As all old passwd are md5, I imagine there is a >>> sequence of steps not to lock me out of the box. is there any place that documents this ? >> change the users passwd to something new, or just use the old passwd, >> but re-enter itchange the default format and run passwd. The password will transparently change. -- Eitan Adler
On 8 Jun 2012, at 13:51, Dag-Erling Sm?rgrav wrote:> We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions?Has anyone looked at how long the SHA512 password hashing actually takes on modern computers? The "real" solution for people who care significantly about this seems something like the algorithm pjd implemented (I think he did it at least) for GELI, where the number of rounds is variable and calculated so it takes X/0.X seconds on the specific hardware used. That's of course a lot more complicated, and I'm not sure if it would work with the crypt() API. Also, does anyone know if our SHA512 is compatible with the format used by Linux, other BSD's etc? -- Simon L. B. Nielsen
On 6/8/12, Dag-Erling Sm?rgrav <des@des.no> wrote:> We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions? > > Index: etc/login.conf > ==================================================================> --- etc/login.conf (revision 236616) > +++ etc/login.conf (working copy) > @@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). > > default:\ > - :passwd_format=md5:\ > + :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >