[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap support SHA-256 or SHA-3.



On 1/8/20 10:27 AM, Simone Piccardi wrote:
> But in the current version it better to use the contrib module, or
> delegate the hashing to the C library? I'm currently using on new install:
> 
> password-hash {CRYPT}
> password-crypt-salt-format "$6$%.16s"
> 
> but I'm using only Linux, I don't know if this is applicable on other OS.

You can improve this a bit by setting more hashing rounds (default is 5000):

$6$rounds=90000$%.16s

It's worth to read the hints in crypt(5):

"[..] Supported on Linux but not common elsewhere.  Acceptable for new
hashes.  The default CPU time cost parameter is 5000, which is too low
for modern hardware."

So as long as you're only using Linux it's fine. But if you want to
migrate to other Unix-like OS or Windows these hashes won't work anymore.

Ciao, Michael.