Passwords stored as Blowfish in Config file

Started by seed, March 06, 2021, 12:29:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 06, 2021, 12:29:20 PM Last Edit: March 06, 2021, 12:31:26 PM by seed
While working in the Config XML i found that passwords are stored as Blowfish. Why are Passwords not stored as SHA-512?
SHA-512 should be standard. Even the root users PW ist stored as Blowfish.

Extract from Config File:

    <user>
      <password>$2y$10$################################</password>
      <scope>users</scope>
      <name>testusername</name>
      <descr>test test</descr>
      <expires/>
      <authorizedkeys/>
      <ipsecpsk/>
      <otp_seed/>
      <uid>12345</uid>
      <cert>############</cert>
      <cert>############</cert>
    </user>
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use
March 06, 2021, 12:39:49 PM #1
Hmmm, or bcrypt, maybe?

https://en.wikipedia.org/wiki/Bcrypt
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 06, 2021, 01:14:04 PM #2
What's the problem with Blowfish?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 06, 2021, 01:15:03 PM #3
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 06, 2021, 01:20:18 PM #4
So?

QuoteBlowfish was designed by Bruce Schneier in 1993 and uses symmetric encryption. It has a variable key length from 32 bits to 448 bits and uses a 64-bit block cipher.

Although it still remains widely in use, AES is treated as the standard encryption method. It is also unpatented and royalty free and hence available for all users.

Since it uses a 64-bit block cipher, it is not recommended to use Blowfish encryption on file sizes larger than 4gb. In fact, Schneier himself recommends using Twofish encryption instead.

There is no weakness mentioned in that article ...

Blowfish has been available as a secure password hash algorithm in FreeBSD  for years and works.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 06, 2021, 01:26:18 PM #5
Unless your password is more than 4Gb in length, then it could be a problem. 8)
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 06, 2021, 06:32:30 PM #6
Quote from: seed on March 06, 2021, 12:29:20 PM
While working in the Config XML i found that passwords are stored as Blowfish. Why are Passwords not stored as SHA-512?
SHA-512 should be standard. Even the root users PW ist stored as Blowfish.

Extract from Config File:

    <user>
      <password>$2y$10$################################

What is the real problem? Conducting the man page "$2y" means bcrypt. Bcrypt is not the same like Blowfish, even if the former is derived from it. As far as I know, Bcrypt is still considered secure for password based authentication. Correct me if I am wrong.

Furthermore, it does not make sense only comparing the entropy of hash functions when used for password based authentication schemes.
OPNsense 24.7.11_2-amd64
March 06, 2021, 06:59:52 PM #7
Quote from: schnipp on March 06, 2021, 06:32:30 PM
What is the real problem? Conducting the man page "$2y" means bcrypt. Bcrypt is not the same like Blowfish, even if the former is derived from it. As far as I know, Bcrypt is still considered secure for password based authentication. Correct me if I am wrong.

Furthermore, it does not make sense only comparing the entropy of hash functions when used for password based authentication schemes.
bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher ...
(Wikipedia)

Of course Blowfisg being a symmetrical cypher and not a hash funktion like SHA you need to design a specific password hash mechanism to use it as such. Same as with DES or AES ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 06, 2021, 07:49:40 PM #8
Less drama and more reasonable GitHub requests please. It's not an issue to change it, but I am a bit weary of "OH MY GOD WHAT IS WRONG WITH YOU PEOPLE" approach in recent reports. ;)


Cheers,
Franco
March 07, 2021, 09:25:10 AM #9
Bcrypt is still fine and the alternative is definitely not SHA. The alternatives to Bcrypt would be scrypt and argon2.

One advantage of Bcrypt is that it is widely supported.
Print
Go Up Pages1
User actions