Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20101210180956.GA3532@openwall.com>
Date: Fri, 10 Dec 2010 21:09:56 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] GNU Savannah integrates passwdqc

Hi,

After the security compromise that affected several gnu.org services and
websites, GNU Savannah (free software development hosting) introduced
proper password hashing and password/passphrase strength checking using
Openwall's passwdqc (invoking the pwqcheck and pwqgen programs):

http://savannah.gnu.org
http://savannah.gnu.org/maintenance/Compromise2010
http://git.savannah.gnu.org/cgit/savane-cleanup.git/

http://www.openwall.com/passwdqc/
http://www.openwall.com/articles/PHP-Users-Passwords#enforcing-password-policy
http://www.openwall.com/articles/PHP-Users-Passwords#random-passwords

If you maintain an online service with user accounts, you should
probably do the same - preferably before your security compromise occurs.
Here's how to do it:

http://www.openwall.com/articles/PHP-Users-Passwords

and you may refer to the savane-cleanup git repository above for an
example of how they did it.  You may also see this in action on their
new user registration page:

https://savannah.gnu.org/account/register.php

(Note: they use a http://www.cacert.org issued SSL certificate, which
will likely be unrecognized by your web browser by default.  CAcert is
about making verifiable SSL certs freely available, and so is in line
with GNU.  This has nothing to do with password strength checking; it's
just a side note I had to include.)

For proper password hashing, the Savannah Hackers chose to use the
SHA-512-based crypt(3) flavor that is currently included in the official
glibc (with this being the very reason for their choice), accessing it
from PHP scripts.  Thus, they used only some pieces of code from our
phpass password hashing framework, whereas our recommendation for other
projects/websites/services is to use the entire thing:

http://www.openwall.com/phpass/

(It is risky to try to implement things like this entirely on your own.
Most people get it wrong.)

Indeed, lots of other security improvements have been made by the FSF
sysadmins and Savannah Hackers - many of these are described on the
Compromise2010 web page referenced above.  However, this message is
about password security.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.