Bug #2427

SHA3/Password Hash

Added by robin.carey1 almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:


Target version:-


Dear DragonFlyBSD bugs,

I just learned this morning that NIST has completed their competition for
the new SHA3
cryptographic hash algorithm:



I would recommend that DragonFlyBSD consider deprecating SHA2 for password
hashes, and adopting the new SHA3 algorithm/standard (since SHA1 has been
broken and SHA2 is very similar to SHA1; but note that I bbelieve SHA2 is
considered safe/secure).

Another reason why:



Go to www.slashdot.org and search for "openwall" or "John the Ripper" to
see article on:

"John the Ripper Cracks Slow Hashes On

Basically, even SHA512 was considered problematic in the above article
on cracking password hashes (presumably by brute force).


Robin Carey BSc


#1 Updated by sjg almost 4 years ago

  • Status changed from New to Closed

SHA3 is actually a faster hash function than the SHA2 algorithms, making it less secure in the face of brute force attacks. We won't be changing our hash function until there is a compelling reason to do so, which I do not believe you have provided. Please follow-up if you can provide more compelling evidence that our existing hash (and Linux's, since we use their code) is broken or weak. Until such time, I am closing this.

Also available in: Atom PDF