Increase iterations for history hashing

Increase hash iterations for heimdal-history by roughly a factor of
four to increase the time required for a password hash to about 0.1
seconds on modern hardware.  This will affect newly-stored history
entries but will not invalidate existing password history entries.

diff --git a/NEWS b/NEWS
index 7c3534ca8c903da30f62f5d41baa15a686fd7b72..1ce9e504f69fcc9ffb688515aa9c93e4fb4d0b48 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,11 @@ krb5-strength 3.2 (unreleased)
     password would be accepted without updating the history or password
     length databases.  Based on work by macrotex.
 
+    Increase hash iterations for heimdal-history by roughly a factor of
+    four to increase the time required for a password hash to about 0.1
+    seconds on modern hardware.  This will affect newly-stored history
+    entries but will not invalidate existing password history entries.
+
     Support building without CrackLib support by passing
     --without-cracklib to configure.  This makes the code a bit simpler
     and lighter if you don't intend to ever use the CrackLib support.

diff --git a/tools/heimdal-history b/tools/heimdal-history
index ec85a9ba6ce3c7cc48ad9ed9229f951a327fdbf7..525e6df81bdcbdb0985034665d649b0c197f86ec 100755 (executable)
--- a/tools/heimdal-history
+++ b/tools/heimdal-history
@@ -33,7 +33,7 @@ use Sys::Syslog qw(openlog syslog LOG_AUTH LOG_INFO LOG_WARNING);
 # The number of PBKDF2 iterations to use when hashing passwords.  This number
 # should be chosen so as to force the hash operation to take approximately 0.1
 # seconds on current hardware.
-Readonly my $HASH_ITERATIONS => 14592;
+Readonly my $HASH_ITERATIONS => 40128;
 
 # Path to the history database.  Currently, this must be a Berkeley DB file in
 # the old DB_HASH format.  Keys will be principal names, and values will be a