Re: Which password cipher ?

[Julio Merino <jmmv%NetBSD.org@localhost>]

On Tue, Nov 30, 2010 at 9:58 PM, Joel Carnat <joel%carnat.net@localhost> wrote:
> Hi,
>
> I'm installing a new domU and just realize I always choose the DES cipher for 
> storing local passwords as it is supposed to be the most compatible. I 
> personally don't use NIS (anymore) and password I share are store in LDAP 
> using SSHA1.
>
> Is it still save to store local password in DES or should something else be 
> used if possible ?
> If so, what's the best option Blowfish, SHA1 ?
>
> I read SHA1 has issues and SHA2 based cipher should be preferred.
> It also seems that OpenBSD uses Blowfish.

Which makes me wonder... why do we even *ask* people to choose a
cypher algorithm during install?  Couldn't we, as the developers of
the system, make a good choice for our users (and let them change it
after installation if they so wish, just as they can with everything
else)?  (It just feels stupid that we have a question in sysinst for
something as trivial as this but we don't have a way to select, e.g.
which services to enable.)

Which are the advantages/disadvantages of every method?  Is it there a
single algorithm that we could just make the default?  (passwd.conf(5)
does not answer any of these questions.)

-- 
Julio Merino