public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "sf at sfritsch dot de" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug libc/16814] New: RFE: Reconsider adding bcrypt (or scrypt) support Date: Sun, 06 Apr 2014 17:57:00 -0000 [thread overview] Message-ID: <bug-16814-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=16814 Bug ID: 16814 Summary: RFE: Reconsider adding bcrypt (or scrypt) support Product: glibc Version: unspecified Status: NEW Severity: enhancement Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: sf at sfritsch dot de CC: drepper.fsp at gmail dot com I know that there has been a previous request for bcrypt support in crypt(3) [1] which has been refued. But I want to ask you to reconsider. The sha-crypt algorithms supported by glibc today have the problem that using a GPU speeds up brute forcing significantly. See e.g. [2] This is especially a problem when using password hashing in situations where the work factor (the number of rounds) cannot be increased arbitrarily: 1) on low power systems (think ARM, Atom) 2) in situations where lots of hashing operations have to be done per second. For example on web servers for basic authentication, where the check needs to be done for every request. Also, adding bcrypt support to glibc improves interopability in heterogeneous environments where accounts are distributed on many machines automatically. There are OSs that support bcrypt but not sha-crypt. Those OSs (rightly) don't like to add support a less secure scheme for the sake of interopability. Of course, one could also argue for support for scrypt. It has some advantages over bcrypt against FPGA-based attacks. But scrypt requires >1MB RAM to defend as good against GPU-based brute forcing, and that makes its use in the webserver scenario somewhat problematic. [1] https://sourceware.org/bugzilla/show_bug.cgi?id=13286 [2] http://www.openwall.com/presentations/Passwords12-The-Future-Of-Hashing/mgp00042.html -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2014-04-06 17:57 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2014-04-06 17:57 sf at sfritsch dot de [this message] 2014-06-12 19:46 ` [Bug libc/16814] " fweimer at redhat dot com 2015-07-05 17:40 ` rsawhill+sw at redhat dot com 2023-06-23 11:47 ` [Bug crypt/16814] " dominik.mierzejewski at citi dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-16814-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).