On Jan 03, Sam Hartman <hartm...@mit.edu> wrote: > I don't know what the sha512 option we're using as a default does, but I > suspect yescrypt is probably an improvement. Sorry, i'm too lazy today > to go look up what sha512 actually means. (I mean if it actually means > hash the password with sha512 with no salt, then that's so brain dead as > to not be plausible. I'm guessing it's some salted sha2-512-based KDF). Yes, it's salted, but the default configuration does not use near enough rounds to be robust nowadays. Yescrypt and Argon2 are a huge improvement over plain hashing because they are also memory-hard so that they cannot be cheaply implemented in ASICs.
Argon2 may be added to libcrypt later this year (https://github.com/besser82/libxcrypt/pull/113), but it will be too late for the next Debian release and its main selling point is "winner of the PHC competition", so nobody is in a hurry to adopt it anyway. -- ciao, Marco
signature.asc
Description: PGP signature
