On Mon, May 13, 2013 at 20:44, Stuart Henderson wrote:
> On 2013/05/13 19:32, Mark Lumsden wrote:
>> I agree. tedu suggest 9 for the number of user rounds and 11 for
>> root back in 2010. Are these numbers reasonable on most archs?
Note that login.conf defaults can be adjusted on a per arch basis. We
are mostly split between old-slow and new-fast archs, with the
exception of i386, where people run everything from 200mhz geodes to
4ghz xeon.
> Actually iirc there was a diff to encrypt(1) to make it automatically
> pick a value which wasn't too slow on the machine, which might be a decent
> default setting (as long as those who are more concerned about the speed
> of attackers machines can raise it above this value).
That would be this:
encrypt -b a picks a nice number for you. I get 11 on a fast i5,
which is still imperceptible. Minus one knob.
On a slower machine, this will effectively raise the minimum to 7,
while reducing the root value to 7 as well. I think that's fair.
Index: encrypt.c
===================================================================
RCS file: /cvs/src/usr.bin/encrypt/encrypt.c,v
retrieving revision 1.28
diff -u -p -r1.28 encrypt.c
--- encrypt.c 14 Jul 2007 21:26:38 -0000 1.28
+++ encrypt.c 20 Feb 2013 13:43:31 -0000
@@ -63,6 +63,31 @@ usage(void)
exit(1);
}
+int
+ideal_rounds()
+{
+ clock_t before, after;
+ int r = 8;
+ char buf[_PASSWORD_LEN];
+ int duration;
+
+ before = clock();
+ strlcpy(buf, bcrypt_gensalt(r), _PASSWORD_LEN);
+ crypt("testpassword", buf);
+ after = clock();
+
+ duration = after - before;
+
+ while (duration < 50) {
+ r += 1;
+ duration *= 2;
+ }
+ r -= 1;
+
+ return r;
+}
+
+
void
print_passwd(char *string, int operation, void *extra)
{
@@ -160,7 +185,10 @@ main(int argc, char **argv)
if (operation != -1)
usage();
operation = DO_BLF;
- rounds = strtonum(optarg, 1, INT_MAX, &errstr);
+ if (strcmp(optarg, "a") == 0)
+ rounds = ideal_rounds();
+ else
+ rounds = strtonum(optarg, 1, INT_MAX, &errstr);
if (errstr != NULL)
errx(1, "%s: %s", errstr, optarg);
extra = &rounds;
