This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/13286] RFE: bcrypt support
- From: "lsof at nodata dot co.uk" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Thu, 13 Oct 2011 19:49:56 +0000
- Subject: [Bug libc/13286] RFE: bcrypt support
- Auto-submitted: auto-generated
- References: <bug-13286-131@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=13286
--- Comment #4 from lsof at nodata dot co.uk 2011-10-13 19:49:56 UTC ---
(In reply to comment #3)
> You haven't read the paper in detail, right? You can tweak how expensive is it
> to compute it.
I didn't read the paper, I just tried to answer your question by quoting the
website that says that hash isn't very good for passwords.
> E.g.
> crypt ("Hello, world!", "$6$rounds=99999999$asaltof16chars..")
> takes almost 80 seconds to compute on pretty fast box these days, and the
> hashing scheme allows even 10 times more rounds than that. While you can
> parallelize by computing crypt of many passwords at once, computing a single
> password is hardly parallelizable.
> So if you are worried that you can crack it too fast, just use a higher rounds=
> from the default 5000.
Okay so creating a crypted password is strong. I'm guessing the other types of
attack (brute, dictionary, rainbow, etc.) are safe as well.
I'm not really the right person to be answering questions like this, I've
e-mailed the author of the article, maybe he will reply here.
Onq question though - would it be a bad thing to have bcrypt as an option?
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.