On Wed, Dec 15, 2010 at 09:42:52PM -0700, Bob Beck wrote:
> I don't mind [increasing the number of Blowfish rounds] if the
> eventual goal is to think about diddling with it per arch..
>
> I certainly do NOT want a 2^11 blowfish password when logging into my
> sparc
Why not? An attacker can, after all, brute-force your password on a
machine of his choice. Silently decreasing the number of rounds on older
architectures surprises the user in a way that can lead to password
compromise ("My password was brute-forced because I used it on a sparc?!
I would have been fine on amd64? Huh? What happened to 'secure by
default'?!")
One *could* consider using a memory- instead of CPU-bound function to
calculate the password hash. Since, historically, memory access times
have increased less than effective CPU speeds, this may give decent
security without penalizing old machines quite as much.
Colin Percival (FreeBSD security officer) has proposed scrypt
(security/scrypt; BSD license), which is supposed to be both memory- and
CPU-bound. Perhaps you could do some test runs on your sparc to see if
the above theory actually holds up? (Leaving open the question of
whether OpenBSD should switch - bcrypt *is* more battle-tested.)
FWIW, I've used 2^10 rounds for years and never had any problems. Then
again, I've only used machines made in the last 10 years...
Joachim
