Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: None <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 05/23/2002 20:39:47
In message <firstname.lastname@example.org>, email@example.com writes:
>>My suggested algorithm is this:
>> s = salt; /* or s = hmac_sha512(site-specific-string, salt); */
>> for (i = 0; i < num_iterations; i++)
>> s = hmac_sha512(password, s);
> hmm. i see. we should implement $2$ as openbsd does (there's no need
> to be different), and the above algorithm can become $3$.
Sounds good. It will take a bit of experimenting to decide what the
right default value is for num_iterations. It would be nice if there
were a way to parameterize it in /etc/passwd.conf.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)