[Whonix-devel] Bug#931994: improve key strengthening, add rounds=65536 to /etc/pam.d/common-password
Patrick Schleizer
adrelanos at riseup.net
Sat Jul 13 15:32:00 CEST 2019
Package: libpam-runtime
Severity: wishlist
X-Debbugs-CC: whonix-devel at whonix.org
Dear maintainer,
could you please append 'rounds=65536' to 'password [success=1
default=ignore] pam_unix.so obscure sha512' in file
/usr/share/pam/common-password ? In other words:
/usr/share/pam/common-password currently has:
password [success=1 default=ignore] pam_unix.so obscure sha512
Could that be made
password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=65536
please?
rationale: improve key strengthening
quote https://wiki.archlinux.org/index.php/SHA_password_hashes :
> The rounds=N option helps to improve key strengthening. The number of
rounds has a larger impact on security than the selection of a hash
function. For example, rounds=65536 means that an attacker has to
compute 65536 hashes for each password he tests against the hash in your
/etc/shadow. Therefore the attacker will be delayed by a factor of
65536. This also means that your computer must compute 65536 hashes
every time you log in, but even on slow computers that takes less than 1
second. If you do not use the rounds option, then glibc will default to
5000 rounds for SHA-512. Additionally, the default value for the rounds
option can be found in sha512-crypt.c.
Kind regards,
Patrick
More information about the Whonix-devel
mailing list