#12365: password generation must be more secured
---------------------------+---------------------------------------
Reporter: eanyx | Owner: nobody
Type: enhancement | Status: new
Priority: critical | Milestone: Unscheduled
Component: System | Version: R1/Development
Resolution: | Keywords: hash password /etc/shadow
Blocked By: | Blocking:
Has a Patch: 1 | Platform: All
---------------------------+---------------------------------------
Comment (by axeld):
Thanks for the update!
Ah, you tricked me with the sha256 files :-) Would be great if you could
rename them appropriately. Linking against shared then makes a lot of
sense.
I got the five seconds from the scrypt website, but maybe I misread that
part ("We estimate that on modern (2009) hardware, if 5 seconds are spent
computing a derived key, the cost of a hardware brute-force attack against
scrypt is roughly 4000 times greater than the cost of a similar attack
against bcrypt (to find the same password), and 20000 times greater than a
similar attack against PBKDF2.").
A good example for the unit tests would be (sorry, I can only point you to
files that I wrote myself with that introduction ;-)) the tests for
[http://cgit.haiku-os.org/haiku/tree/src/tests/kits/net/libnetapi
libnetapi.so] to name one. You seem to have added the test twice now
accidentally, under two different names.
Last but not least, I still have some coding style remakes for crypt.cpp,
although it has greatly improved since the last patch (we do take our
coding style very serious, sorry for that):
* Copyright: did you really write that between 2007 and 2009? :-)
* Two blank lines after the copyright header.
* The include order is correct, but we use blank lines between the
different sections; ie. one after the POSIX headers, and one after
SupportDefs.h.
* Line 38: it seems it wouldn't hit the 80 character per line limit if you
did not break that line in two.
* buf_len, buf, outbuf, outbuf_len aren't following our naming style for
variables. That would be: bufferLength, buffer, outBuffer, and
outBufferLength respectively (we use camel case).
* 'i' as index is allowed, but since outi or (camel case) outI looks
rather terrible, I'd actually use 'index' and 'outIndex'.
* Line 72 (and other places): we don't use curly braces for single line
statements (but even a newline would make it a two line statement).
* Line 99 (and other places): we use doxygen style comments for functions,
so that would be:
{{{
/*! Generate a new salt appropriate for crypt().
*/
}}}
or even (since it's just a single line):
{{{
//! Generate a new salt appropriate for crypt().
}}}
Note, there is no blank line between the comment and the function it
belongs to.
* Line 104: Opening curly braces go to the next line for functions (as you
noticed at other places).
* Line 117, line 135: Inconsistent asterisk style.
* N_log2 would be nLog2.
* But that should be all.
--
Ticket URL: <https://dev.haiku-os.org/ticket/12365#comment:10>
Haiku <https://dev.haiku-os.org>
Haiku - the operating system.