This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/16522] On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed
- From: "bugdal at aerifal dot cx" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 04 Feb 2014 19:14:52 +0000
- Subject: [Bug libc/16522] On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed
- Auto-submitted: auto-generated
- References: <bug-16522-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=16522
--- Comment #5 from Rich Felker <bugdal at aerifal dot cx> ---
I see we're working with very different versions of "bearable". To me, 0.3s is
hardly "bearable" and 4.5s is utterly atrocious. And this is all assuming
there's only a single password being validated at a time and that you don't
care about 0.3 to 4.5 seconds of 100% cpu load interfering with whatever else
is running on the system.
Yes, for ssh login, most people should be using public key authentication, not
passwords. But password hashes are used for lots of other purposes too other
than unix account login. In cases where password hashes are being used, their
strength really needs to be tuned to the application, which is highly dependent
on things like number of users, expected cpu load, etc. and not just a function
of the raw cpu speed. So I'm skeptical of attempts to automate choosing a
strength parameter based on the latter...
--
You are receiving this mail because:
You are on the CC list for the bug.