#12365: password generation must be more secured
---------------------------+---------------------------------------
Reporter: eanyx | Owner: nobody
Type: enhancement | Status: new
Priority: critical | Milestone: Unscheduled
Component: System | Version: R1/Development
Resolution: | Keywords: hash password /etc/shadow
Blocked By: | Blocking:
Has a Patch: 1 | Platform: All
---------------------------+---------------------------------------
Comment (by i80and):
* `crypt.cpp` doesn't really follow our coding style yet.
- OK, I'll take a closer look at styling.
* Why does libroot link against shared now?
- It needs access to the SHA256 implementation in shared. Is there a
better way to do this?
* It looks like we should update AboutSystem to refer to the license.
- I'll add that.
* Doesn't this make logging in very slow? I would find 5 seconds
inconvenient enough to prefer to go with bcrypt instead.
- On a VM running in my laptop, this crypt() takes real 0.105 seconds.
Where did you get 5 seconds?
* Is this already scrypt 1.2 from August 2015?
- Yup! Changed to use the in-tree SHA-256 implementation, and to compile
as C++.
* The test looks fine; it's as integrated as the rest of it. Ideally, it
would be part of our unit test suite, though.
- I'll take a stab at using the unit test stuff. Any particular example
I should use?
* Don't we already have a number of SHA 256 computation code in our tree
that could be reused (or replaced if slower)?
- Yup, this uses that code. I removed the SHA-256 implementation from
sha256.c and sha256.h, so they're just PBKDF2 functions. I should rename
them.
--
Ticket URL: <https://dev.haiku-os.org/ticket/12365#comment:8>
Haiku <https://dev.haiku-os.org>
Haiku - the operating system.