This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/16522] On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed


https://sourceware.org/bugzilla/show_bug.cgi?id=16522

--- Comment #9 from David JaÅa <jasa.david at gmail dot com> ---
IMO basing the hash strength on CPU speed is good as long as sensible minimum
is set. If the minimum is raised from current minimum to current default, the
worst case scenario is that security will be the same as status quo while it
will be better on average. This behaviour is good enough IMO for the time
being.

I see another problem here though: when sha512 hashing gets definitely cheap,
keeping the minimum amount of rounds low will create "pockets" of low-spec
password hashes on systems that were using the minimums while on average,
hashes will still be safe (and it will take quite some time to update all
affected systems) so it would be helpful to have an idea what are the slowest
devices where glibc runs these days so that the minimum rounds count can be
tailored to them so that that gap is as small as possible.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]