Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: None <>
From: Steven M. Bellovin <>
List: current-users
Date: 05/23/2002 20:39:47
In message <>, writes:
>>My suggested algorithm is this:
>>	s = salt;	/* or s = hmac_sha512(site-specific-string, salt); */
>>	for (i = 0; i < num_iterations; i++)
>>		s = hmac_sha512(password, s);
>	hmm.  i see.  we should implement $2$ as openbsd does (there's no need
>	to be different), and the above algorithm can become $3$.
Sounds good.  It will take a bit of experimenting to decide what the 
right default value is for num_iterations.  It would be nice if there 
were a way to parameterize it in /etc/passwd.conf.

		--Steve Bellovin, (me) ("Firewalls" book)