[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Revisiting the SHA1 default password hash
- To: Quanah Gibson-Mount <quanah@symas.com>, openldap-devel@openldap.org
- Subject: Re: Revisiting the SHA1 default password hash
- From: Howard Chu <hyc@symas.com>
- Date: Sat, 25 Feb 2017 02:17:08 +0000
- In-reply-to: <BE8C61AE98C00B38B7A980A1@[192.168.1.30]>
- References: <B4A6086DCB7954D816BB8528@[192.168.1.30]> <2ec6af76-ca87-5694-e0ed-3e8e572c5f4a@stroeder.com> <WM!68af734acd6f844fa34c87273fb1ed9f4e6f09b89b52853f29e034d6c6362863e9c83ac420defb43eeab71fe573b25c5!@mailstronghold-3.zmailcloud.com> <ed9deb4d-d0dd-3753-b9bb-f26e93416ca1@symas.com> <WM!44c3fc316d52ca6a2b7efbf8459ab01bde505ca8f7eb591170380646a1cdd6b408c5bc863aa9be41945e412f2d648f74!@mailstronghold-1.zmailcloud.com> <BE8C61AE98C00B38B7A980A1@[192.168.1.30]>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2
Quanah Gibson-Mount wrote:
--On Friday, February 24, 2017 8:32 PM +0000 Howard Chu <hyc@symas.com> wrote:
Yes, but there should be something stronger.
How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
Yeah at this point we can probably bypass SHA2 and just go straight to
SHA3. There's a lot of crypto software out there already using it. pbkdf2
is still using SHA2.
Worthwhile to read over:
<https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016>
Hm, where did these recommendations come from? They include Scrypt among their
recommendations, but there are Scrypt ASICs all over the web already making it
trivially hackable.
e.g. http://zoomhash.com/ (just google "scrypt asic" ...)
libsodium's a pretty trivial compile, I added it to Zimbra a while back for
another project.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/