Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: Perry E. Metzger <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 05/24/2002 11:39:48
In message <email@example.com>, "Perry E. Metzger" writes:
>> >My suggested algorithm is this:
>> > s = salt; /* or s = hmac_sha512(site-specific-string, salt); */
>> > for (i = 0; i < num_iterations; i++)
>> > s = hmac_sha512(password, s);
>> hmm. i see. we should implement $2$ as openbsd does (there's no need
>> to be different), and the above algorithm can become $3$.
>the $3$ notion is probably an idea to mention on bsd-api-discuss...
My personal preference would be $hmac-sha512$, but I'm not dogmatic
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)