Package: libpam-runtime Severity: wishlist X-Debbugs-CC: whonix-de...@whonix.org
Dear maintainer, could you please append 'rounds=65536' to 'password [success=1 default=ignore] pam_unix.so obscure sha512' in file /usr/share/pam/common-password ? In other words: /usr/share/pam/common-password currently has: password [success=1 default=ignore] pam_unix.so obscure sha512 Could that be made password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=65536 please? rationale: improve key strengthening quote https://wiki.archlinux.org/index.php/SHA_password_hashes : > The rounds=N option helps to improve key strengthening. The number of rounds has a larger impact on security than the selection of a hash function. For example, rounds=65536 means that an attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second. If you do not use the rounds option, then glibc will default to 5000 rounds for SHA-512. Additionally, the default value for the rounds option can be found in sha512-crypt.c. Kind regards, Patrick
