On Friday 23 October 2009, William A. Rowe, Jr. wrote: > Isn't this platform specific? Seems wrong. Why not test the pw > and the pw+1 char to determine if this is, in fact, true.
Our documentation doesn't talk about the limit being platform specific. But to be save, I have changed it in r829355. > With all our integration into openssl maybe we should add 3des > strong crypt for all platforms that don't otherwise offer it? So > much easier now that the rules about crypto munitions in open > source have been relaxed. The apr1 md5 algorithm seems secure enough. I don't think there is need for another proprietary password hash algorithm. But it may be nice to add support for whatever is used by linux/*BSD/solaris nowadays. bcrypt/crypt_blowfish [1] (included in recent *BSD and others) would be especially interesting in that it allows to adjust the processing cost for a password check while staying backward compatible. [1] http://www.openwall.com/crypt/
