In message <15611.55848.172493.847172@ryijy.hel.fi.ssh.com>, Tero Kivinen write
s:
>smb@research.att.com ("Steven M. Bellovin") writes:
>> In message <3028.1022196192@itojun.org>, itojun@iijlab.net writes:
>> >>	s = salt;	/* or s = hmac_sha512(site-specific-string, salt); */
>> >>	for (i = 0; i < num_iterations; i++)
>> >>		s = hmac_sha512(password, s);
>> Sounds good.  It will take a bit of experimenting to decide what the 
>> right default value is for num_iterations.  It would be nice if there 
>> were a way to parameterize it in /etc/passwd.conf.
>
>Actually I think the num_iterations should be stored along with the
>salt to the encrypted password. This way the num_iterations can be
>changed by changing the passwd.conf, and all new passwords would start
>using the new num_iterations. Also the default could be something
>like:
>
>num_iterations = time(NULL) / div + base;
>
>so it goes up over time, as the cpu speeds go up too... Of course the
>div and base could be parameterized in the /etc/passwd.conf too...

Clearly, the number of iterations for a given password must be stored 
with the hashed password.  My comment was about the number to be used 
at password change time.  Your default is interesting -- I was about to 
object that time() returns the number of seconds since the epoch, 
rather than a measure of the machine's speed -- until I realized that 
that was exactly what you meant!  Very clever...

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)