Package: libpam-runtime
Severity: wishlist
X-Debbugs-CC: whonix-de...@whonix.org

Dear maintainer,

could you please append 'rounds=65536' to 'password     [success=1
default=ignore] pam_unix.so obscure sha512' in file
/usr/share/pam/common-password ? In other words:

/usr/share/pam/common-password currently has:

password        [success=1 default=ignore]      pam_unix.so obscure sha512

Could that be made

password        [success=1 default=ignore]      pam_unix.so obscure sha512 
rounds=65536

please?

rationale: improve key strengthening

quote https://wiki.archlinux.org/index.php/SHA_password_hashes :

> The rounds=N option helps to improve key strengthening. The number of
rounds has a larger impact on security than the selection of a hash
function. For example, rounds=65536 means that an attacker has to
compute 65536 hashes for each password he tests against the hash in your
/etc/shadow. Therefore the attacker will be delayed by a factor of
65536. This also means that your computer must compute 65536 hashes
every time you log in, but even on slow computers that takes less than 1
second. If you do not use the rounds option, then glibc will default to
5000 rounds for SHA-512. Additionally, the default value for the rounds
option can be found in sha512-crypt.c.

Kind regards,
Patrick

Reply via email to