Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Aug 2012 17:17:36 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: crypt* files in crypt directory

On Thu, Aug 09, 2012 at 07:52:55PM +0400, Solar Designer wrote:
> > I don't see any down-size to limiting the iteration count if the limit
> > is reasonable. For instance if the limit were such that higher counts
> > would take more than 1 second on a theoretical 50 GHz variant of a
> > modern cpu (which is faster than a single core will EVER be able to
> > get), there's no way they would be practical to use, and there's no
> > sense in supporting them except to satisfy a fetish for "no arbitrary
> > limits" even when it conflicts with security and robustness. This
> > would at least ensure the function can't get stuck running for
> > hours/days/weeks at a time.
> > 
> > The hard part is putting the limit at some point a good bit lower.
> 
> This makes some sense.

After some casual tests, I would say somewhere around 16 is
appropriate as the absolute upper cut-off, and 12-14 is probably the
"point a good bit lower" we're aiming for. Anyone else have opinions
on this? Information on what's in common use in the wild? (I would
guess 4-8 is typical in the wild..)

Rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.