This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/16522] On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed
- From: "jasa.david at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 07 Feb 2014 16:31:50 +0000
- Subject: [Bug libc/16522] On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed
- Auto-submitted: auto-generated
- References: <bug-16522-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=16522
--- Comment #9 from David JaÅa <jasa.david at gmail dot com> ---
IMO basing the hash strength on CPU speed is good as long as sensible minimum
is set. If the minimum is raised from current minimum to current default, the
worst case scenario is that security will be the same as status quo while it
will be better on average. This behaviour is good enough IMO for the time
being.
I see another problem here though: when sha512 hashing gets definitely cheap,
keeping the minimum amount of rounds low will create "pockets" of low-spec
password hashes on systems that were using the minimums while on average,
hashes will still be safe (and it will take quite some time to update all
affected systems) so it would be helpful to have an idea what are the slowest
devices where glibc runs these days so that the minimum rounds count can be
tailored to them so that that gap is as small as possible.
--
You are receiving this mail because:
You are on the CC list for the bug.