← Back to team overview

kernel-packages team mailing list archive

[Bug 1349252] Re: crypt(3) lacks Blowfish support

 

For password hashing, bcrypt *is* better, by design. There's absolutely
no ambiguity here, the consensus is fully in favour of bcrypt. Hashes
like SHA512 are general purpose, designed to run really fast, whereas
bcrypt is explicitly for secure hashing and is deliberately, tuneably
slow. There are many articles on the subject, here are some (from *5
years ago*!):

http://codahale.com/how-to-safely-store-a-password/
http://blog.codinghorror.com/speed-hashing/

Frankly I'm shocked this is even being questioned. Without bcrypt in
libc, all apps that rely on libc for hashing (I've just run into it with
dovecot in 14.04) are not as secure as they should be. Hasn't this been
flagged by the Ubuntu security team?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1349252

Title:
  crypt(3) lacks Blowfish support

Status in glibc package in Ubuntu:
  Won't Fix
Status in linux package in Ubuntu:
  Invalid

Bug description:
  crypt(3) bundled with Ubuntu's GNU C Library supports MD5, DES, SHA256
  and SHA512 hashing methods, but lacks support for Blowfish (aka
  bcrypt).

  There is a patch available from Openwall:
  http://www.openwall.com/crypt/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1349252/+subscriptions


References