> > Let me also suggest something: stop using non-iterated SHA-1 hashes > > before they're used any wider. Use a modern iterated hash intended > > for passwords instead. > > Could you please provide a pointer to information about these iterated > hash algorithms? They are news to me. Well, slower hashes are used to make key searches more expensive since at least 24 years ago: April 3, 1978 ... Password Security: A Case History ... IMPROVEMENTS TO THE FIRST APPROACH Slower Encryption ... Obviously, the first algorithm used was far too fast. The announcement of the DES encryption algorithm [2] by the National Bureau of Standards was timely and fortunate. The DES is, by design, hard to invert, but equally valuable is the fact that it is extremely slow when implemented in software. ... Then the DES algorithm is iterated 25 times ... These quotes are from the Unix V7 manual, http://plan9.bell-labs.com/7thEdMan/vol2/password My opinion is that the slow-in-software property of DES was in fact undesirable (I'll avoid going into that much detail for this post), but the use of multiple iterations was a good idea. The 25 iterations effectively "stretch" the passwords by about 5 bits. However, processors become faster while the size of passwords remains about the same, so a constant iteration count isn't sufficient. David Burren's "FreeSec" (1994), which is an implementation of crypt(3) for NetBSD (now used on all three *BSD's), adds a "new-style" mode where a different iteration count (24-bit) may be specified on an installed system (to be used for new passwords) without affecting compatibility. (The same hashing method is also found on BSDI, and is actually used there. It is possible that their implementation appeared earlier, I just don't know.) I am now using this hashing method on some systems (Linux) at 100001 iterations. In order to achieve the same level of security with the traditional crypt(3), the users would need to remember 12 bit longer passwords. Finally, the Blowfish-based password hashes found on OpenBSD also support a variable iteration count, and they're what we should be using these days: http://www.openwall.com/crypt/ http://www.usenix.org/events/usenix99/provos.html Signed, Solar Designer
