On 7/15/2012 2:14 AM, Ed W wrote:
Interestingly, there doesn't seem to be so much difference between iterated sha-512 (sha512crypt) and bcrypt. Based on looking at latest john the ripper results (although I'm a bit confused because they don't seem to quote the baseline results using the normal default number of rounds?)
So I think right now, many/most modern glibc are shipping with sha256/512crypt implementations (recently uclibc also added this).
Indeed. What I have seen is a create deal of variation in the configuration (/etc/login.defs or your distro's equivalent) in terms of making use of such things.
I don't see any added value to bcrypt over iterated SHA-512, really, and while I don't even pretend to claim I've looked at all distros, even "old-school" ones like Slackware have full support for it. I suspect many admins doubt this because of configurations that don't make use of the modern hashing functionality.
Converting shadow files and/or login.defs would seem to be the bulk of the SysAdmin work to beef up the protection to bcrypt levels here.
Remember to keep this in perspective though - as the nature of this "vulnerability" extends to the case where your shadow file's hashes have been cloned, meaning a root-compromise or local device clone/access was made of it, etc.
=R=