BCRYPT - Why doesn't the Linux Distributions use it by default?
Solution 1
A couple of reasons:
The BCrypt-based scheme isn't NIST approved.
Hash functions are designed for this kind of usage, whereas Blowfish wasn't.
The added security is BCrypt is based on it being computationally expensive, rather than the type of algorithm. Relying on computationally expensive operations isn't good for long-term security.
See http://en.wikipedia.org/wiki/Crypt_%28Unix%29 for some discussion on this.
Solution 2
OpenSUSE 11.4 (at least) does use Bcrypt by default.
Solution 3
Ulrich Drepper, the glibc maintainer, rejected bcrypt support since isn't approved by NIST. See details the article bcrypt support for passwords in /etc/shadow
And his article on homepage Unix crypt with SHA-256/512
LanceBaynes
Updated on September 18, 2022Comments
-
LanceBaynes over 1 year
Does OpenBSD use bcrypt by default?
Why doesn't every modern Linux Distribution use BCRYPT?
http://codahale.com/how-to-safely-store-a-password/
https://secure.wikimedia.org/wikipedia/en/wiki/Bcrypt
WHY????
-
Geoff about 13 yearsBeing computationally expensive is exactly why bcrypt is used for this application.
-
xenoterracide about 13 years@rob 4. bcrypt adds a dependency that isn't otherwise there, where sha1 and sha2 are part of glibc
-
Rob about 13 yearsWhat I said in point 3.
-
Geoff about 13 yearsSorry, I'll be more clear. Being computationally expensive, plus having a configurable number of rounds, is exactly why this is a good scheme for long-term security. It allows the cost of checking the hash to increase as hardware gets faster. The original paper describing bcrypt was actually titled "A Future-Adaptable Password Scheme" (usenix.org/events/usenix99/provos/provos_html)
-
Rob about 13 years@pdo I don't consider the ability to increase the number of rounds to negate point 3. It may be that additional rounds cancel each other out in some way w.r.t. future cryptoanalytic attacks on the underlying algorithm.
-
Geoff about 13 years@Rob All things being equal, a hashing scheme that is more computationally expensive is better than one that is less expensive. It means you have to spend longer to hash each candidate password when brute-forcing the keyspace. If you know of a better attack against Blowfish (as used in bcrypt) than the rest of the world, please let somebody know :)
-
Geoff over 12 years@TechZilla I'm not arguing it should be the default, only pointing out the characteristic that makes it a good password hash mechanism.