On Thu, Dec 16, 2010 at 4:35 AM, Joachim Schipper <[email protected]> wrote: > On Wed, Dec 15, 2010 at 09:42:52PM -0700, Bob Beck wrote: >> I don't mind [increasing the number of Blowfish rounds] if the >> eventual goal is to think about diddling with it per arch.. >> >> I certainly do NOT want a 2^11 blowfish password when logging into my >> sparc > > Why not? An attacker can, after all, brute-force your password on a > machine of his choice. Silently decreasing the number of rounds on older > architectures surprises the user in a way that can lead to password > compromise ("My password was brute-forced because I used it on a sparc?! > I would have been fine on amd64? Huh? What happened to 'secure by > default'?!")
At some point, you won't be able to compute the hash before the login timeout of 5 minutes expires. Hopefully, the people using old machines are using them for fun, not in a setting where master.passwd is likely to be stolen. That's really what it's about. Is your machine likely to have the passwd file stolen and are the accounts and passwords in that file worth cracking?
