Re: Revisiting the SHA1 default password hash
Quanah Gibson-Mount wrote:
--On Friday, February 24, 2017 8:32 PM +0000 Howard Chu
<hyc(a)symas.com> wrote:
>> Yes, but there should be something stronger.
>>
>> How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
>
> Yeah at this point we can probably bypass SHA2 and just go straight to
> SHA3. There's a lot of crypto software out there already using it. pbkdf2
> is still using SHA2.
Worthwhile to read over:
<https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016>
Hm, where did these recommendations come from? They include Scrypt among their
recommendations, but there are Scrypt ASICs all over the web already making it
trivially hackable.
e.g. http://zoomhash.com/ (just google "scrypt asic" ...)
libsodium's a pretty trivial compile, I added it to Zimbra a while back for
another project.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/