Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 30 Aug 2012 10:40:01 +0200
From: Szabolcs Nagy <>
Subject: Re: Help-wanted tasks for musl

* Rich Felker <> [2012-08-29 13:01:32 -0400]:
> Committed. I also put strict rounds count checks in place for the
> existing hashes. Previously the only limit was on blowfish where the
> limit kept the runtime down to minutes instead of months/years, but
> that was of little practical benefit. Anyone who thinks the limits are
> too low/too high/whatever is welcome to bikeshed this...

i think the current setting is too low :)
i'd use the same setting for both
(sha512 can be significantly faster on 64bit than on 32bit)

the limit need not be more than 1M but should be at least 100k
(one can easily wait these out on a fast machine)

a quick search on the web found several
cases where sha crypt is promoted with
high rounds:



$5$rounds=80000 (this is the default in passlib!)


$6$rounds=1000000 (!!)

somehow i forgot to add 'static' to sha256
hash functions (sha256_init, sha256_update,
sha256_sum) so they are visible

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.