[Whonix-devel] Bug#931994: improve key strengthening, add rounds=65536 to /etc/pam.d/common-password

Patrick Schleizer adrelanos at riseup.net
Sat Jul 13 15:32:00 CEST 2019

Package: libpam-runtime
Severity: wishlist
X-Debbugs-CC: whonix-devel at whonix.org

Dear maintainer,

could you please append 'rounds=65536' to 'password	[success=1
default=ignore]	pam_unix.so obscure sha512' in file
/usr/share/pam/common-password ? In other words:

/usr/share/pam/common-password currently has:

password	[success=1 default=ignore]	pam_unix.so obscure sha512

Could that be made

password	[success=1 default=ignore]	pam_unix.so obscure sha512 rounds=65536


rationale: improve key strengthening

quote https://wiki.archlinux.org/index.php/SHA_password_hashes :

> The rounds=N option helps to improve key strengthening. The number of
rounds has a larger impact on security than the selection of a hash
function. For example, rounds=65536 means that an attacker has to
compute 65536 hashes for each password he tests against the hash in your
/etc/shadow. Therefore the attacker will be delayed by a factor of
65536. This also means that your computer must compute 65536 hashes
every time you log in, but even on slow computers that takes less than 1
second. If you do not use the rounds option, then glibc will default to
5000 rounds for SHA-512. Additionally, the default value for the rounds
option can be found in sha512-crypt.c.

Kind regards,

More information about the Whonix-devel mailing list