This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug crypt/16814] RFE: Reconsider adding bcrypt (or scrypt) support
- From: "dkg at fifthhorseman dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 24 May 2018 14:12:05 +0000
- Subject: [Bug crypt/16814] RFE: Reconsider adding bcrypt (or scrypt) support
- Auto-submitted: auto-generated
- References: <bug-16814-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=16814
Daniel Kahn Gillmor <dkg at fifthhorseman dot net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dkg at fifthhorseman dot net
--- Comment #2 from Daniel Kahn Gillmor <dkg at fifthhorseman dot net> ---
Rich, your suggestion for the password-hashing daemon is pretty interesting,
but i'm not sure how you'd control/ration/audit access to it. it strikes me as
a relatively easy DoS vector for the machine as a whole, if the hashing is done
by a dedicated user account, which isn't tied directly back to any of the other
accounting systems.
fwiw, i agree that we should have something better than the sha-2-based digests
available. I'm not entirely sure why we should avoid heavyweight memory/cpu
access for those applications which need to hash passwords, though. if you
need to hash passwords responsibly, you need to do some work. most tools don't
do password-hashing, so we're not talking about adding this to arbitrary
systems.
--
You are receiving this mail because:
You are on the CC list for the bug.