Date: Fri, 10 Dec 2010 21:09:56 +0300 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com Subject: [openwall-announce] GNU Savannah integrates passwdqc Hi, After the security compromise that affected several gnu.org services and websites, GNU Savannah (free software development hosting) introduced proper password hashing and password/passphrase strength checking using Openwall's passwdqc (invoking the pwqcheck and pwqgen programs): http://savannah.gnu.org http://savannah.gnu.org/maintenance/Compromise2010 http://git.savannah.gnu.org/cgit/savane-cleanup.git/ http://www.openwall.com/passwdqc/ http://www.openwall.com/articles/PHP-Users-Passwords#enforcing-password-policy http://www.openwall.com/articles/PHP-Users-Passwords#random-passwords If you maintain an online service with user accounts, you should probably do the same - preferably before your security compromise occurs. Here's how to do it: http://www.openwall.com/articles/PHP-Users-Passwords and you may refer to the savane-cleanup git repository above for an example of how they did it. You may also see this in action on their new user registration page: https://savannah.gnu.org/account/register.php (Note: they use a http://www.cacert.org issued SSL certificate, which will likely be unrecognized by your web browser by default. CAcert is about making verifiable SSL certs freely available, and so is in line with GNU. This has nothing to do with password strength checking; it's just a side note I had to include.) For proper password hashing, the Savannah Hackers chose to use the SHA-512-based crypt(3) flavor that is currently included in the official glibc (with this being the very reason for their choice), accessing it from PHP scripts. Thus, they used only some pieces of code from our phpass password hashing framework, whereas our recommendation for other projects/websites/services is to use the entire thing: http://www.openwall.com/phpass/ (It is risky to try to implement things like this entirely on your own. Most people get it wrong.) Indeed, lots of other security improvements have been made by the FSF sysadmins and Savannah Hackers - many of these are described on the Compromise2010 web page referenced above. However, this message is about password security. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.