Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Dec 2010 21:09:56 +0300
From: Solar Designer <>
Subject: [openwall-announce] GNU Savannah integrates passwdqc


After the security compromise that affected several services and
websites, GNU Savannah (free software development hosting) introduced
proper password hashing and password/passphrase strength checking using
Openwall's passwdqc (invoking the pwqcheck and pwqgen programs):

If you maintain an online service with user accounts, you should
probably do the same - preferably before your security compromise occurs.
Here's how to do it:

and you may refer to the savane-cleanup git repository above for an
example of how they did it.  You may also see this in action on their
new user registration page:

(Note: they use a issued SSL certificate, which
will likely be unrecognized by your web browser by default.  CAcert is
about making verifiable SSL certs freely available, and so is in line
with GNU.  This has nothing to do with password strength checking; it's
just a side note I had to include.)

For proper password hashing, the Savannah Hackers chose to use the
SHA-512-based crypt(3) flavor that is currently included in the official
glibc (with this being the very reason for their choice), accessing it
from PHP scripts.  Thus, they used only some pieces of code from our
phpass password hashing framework, whereas our recommendation for other
projects/websites/services is to use the entire thing:

(It is risky to try to implement things like this entirely on your own.
Most people get it wrong.)

Indeed, lots of other security improvements have been made by the FSF
sysadmins and Savannah Hackers - many of these are described on the
Compromise2010 web page referenced above.  However, this message is
about password security.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.