[Date Prev][Date Next]
Re: Revisiting the SHA1 default password hash
On Sat, 2017-02-25 at 02:17 +0000, Howard Chu wrote:
> Quanah Gibson-Mount wrote:
> > --On Friday, February 24, 2017 8:32 PM +0000 Howard Chu <hyc@symas.
> > com> wrote:
> > > > Yes, but there should be something stronger.
> > > >
> > > > How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
> > >
> > > Yeah at this point we can probably bypass SHA2 and just go
> > > straight to
> > > SHA3. There's a lot of crypto software out there already using
> > > it. pbkdf2
> > > is still using SHA2.
> > Worthwhile to read over:
> > <https://paragonie.com/blog/2016/02/how-safely-store-password-in-20
> > 16>
> Hm, where did these recommendations come from? They include Scrypt
> among their
> recommendations, but there are Scrypt ASICs all over the web already
> making it
> trivially hackable.
> e.g. http://zoomhash.com/ ;(just google "scrypt asic" ...)
> > libsodium's a pretty trivial compile, I added it to Zimbra a while
> > back for
> > another project.
When I asked notable Kiwi security researcher Peter Gutmann on the
sidelines of Kiwicon about what to use if I ever imagined a Samba un-
shackled from the restrictions of Windows compatibility (the printed
conference program poked fun at AD for MD4), he strongly recommended
Argon2 as mentioned in the link above.
Either way, I'll follow this thread with interest, as I'm keen to have
a password hash in Samba that is both best-of-breed and shared between
modern OpenLDAP and Samba, for our administrators who need password
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba