mailinglists at ban-solms.de
Sat Oct 11 00:38:29 PDT 2008
Robert Connolly wrote:
> On Thursday October 9 2008 06:21:37 pm Bruce Dubbs wrote:
>> Should there be a mention of the possible use of SHA password encryption?
> Using MD5 or SHA can be kept simple by using all the default options for SHA,
> and mentioning that there are more options in login.def. Many people probably
> don't know SHA was added to Glibc.
When you mention the possibility for SHA, maybe it is a good idea to
also the option to increase the number of SHA rounds.
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password.
# But note also that it more CPU resources will be needed to authenticate
# If not specified, the libc will choose the default number of rounds
# The values must be inside the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
# SHA_CRYPT_MIN_ROUNDS 5000
# SHA_CRYPT_MAX_ROUNDS 5000
I do not have any numbers on the CPU resources needed when
(dramatically) increasing SHA rounds.
DIY note for reference:
More information about the lfs-dev