Provide guidance about securing login passphrase

[ebiggers]

The security of any encryption system that's unlocked by the user's login passphrase, including fscrypt's login protectors, is limited by the strength of the password hashing in /etc/shadow. /etc/shadow by default uses SHA-512 with 5000 rounds, which is much weaker than fscrypt's Argon2 passphrase hashing. For fscrypt, we should provide appropriate guidance in the documentation and in the interactive output when creating a login protector. We should recommend that users should either increase the number of rounds in /etc/shadow, use a strong login passphrase, or use a custom passphrase protector instead.

Longer term, it would be nice if /etc/shadow would use a more modern passphrase hashing function, such as Argon2. That apparently would require making the crypt() function in glibc support it.

[gerout7]

What would be a recommended number of round for /etc/shadow?

[ebiggers]

What would be a recommended number of round for /etc/shadow?

In #223 I'm recommending 500000 (100x the default), as this makes the hashing time be on the same order of magnitude as fscrypt's default.

However, the main recommendation is to choose a strong passphrase. That can give orders of magnitude more improvement than the 100x you can get by increasing rounds.

[Maryse47]

Aren't hashing rounds optimized for power of 2? It would be 524288 then.

[ebiggers]

Aren't hashing rounds optimized for power of 2? It would be 524288 then.

No, there's nothing special about powers of 2. See the source here.

[gerout7]

Why is the option called nrounds https://github.com/google/fscrypt/blame/master/README.md#L309
Should't it be "rounds"? I did not find an option called nrounds but the manpage of pam_unix lists rounds as the option in question. Is this a typo?

[ebiggers]

Why is the option called nrounds https://github.com/google/fscrypt/blame/master/README.md#L309
Should't it be "rounds"? I did not find an option called nrounds but the manpage of pam_unix lists rounds as the option in question. Is this a typo?

Yes it's a typo, sorry about that! I used rounds when I tested it, but accidentally wrote nrounds in the documentation. Fixing with #228.

[gerout7]

If I am not mistaken the hashing strength of the argon hash is related to the hardware capabilities of the system it is generated on. Meaning it will be a stronger hash when there is a bigger CPU available so it will always take 1 second to generate the hash.

Wouldn't t be possible to provide a dynamic recommendation when the login passphrase is selected by measuring the number of rounds it takes with sha512 to reach the same time costs?

[ebiggers]

It would be possible, but since /etc/shadow's SHA-512 hash isn't multithreaded, the time to execute it doesn't vary nearly as much as the Argon2 hash. We'd also have to tell the user to run a command to calibrate the SHA-512 hash (which adds UI complexity), and we're now only talking about small changes in security that are equivalent to adding or removing a fraction of a character to your passphrase. So I'm not sure it would be worthwhile to implement, vs. simply giving a number that's good for most users. I'll think about it.