Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: Steven M. Bellovin <smb@research.att.com>
From: Michael Eriksson <Michael.Eriksson@era-t.ericsson.se>
List: current-users
Date: 06/07/2002 00:30:19
Steven M. Bellovin wrote:
> In message <15611.55848.172493.847172@ryijy.hel.fi.ssh.com>, Tero Kivinen writes:
> >Actually I think the num_iterations should be stored along with the
> >salt to the encrypted password. This way the num_iterations can be
> >changed by changing the passwd.conf, and all new passwords would start
> >using the new num_iterations. Also the default could be something
> >like:
> >
> >num_iterations = time(NULL) / div + base;
> >
> >so it goes up over time, as the cpu speeds go up too... Of course the
> >div and base could be parameterized in the /etc/passwd.conf too...
> 
> Clearly, the number of iterations for a given password must be stored 
> with the hashed password.  My comment was about the number to be used 
> at password change time.  Your default is interesting -- I was about to 
> object that time() returns the number of seconds since the epoch, 
> rather than a measure of the machine's speed -- until I realized that 
> that was exactly what you meant!  Very clever...

You are forgetting that Moore's law is exponential, not linear...

-- 
Michael Eriksson <eramore@era-t.ericsson.se>
/usr/sys/ken/slp.c:	 * You are not expected to understand this.