2. Instead of:
+ * The deprecated sha256/512 functions are somehow sensitive to the
+ * order of this crypt_types array as well as their respective "name"
+ * In order to ensure that both existing passwords will continue to work
+ * that new passwords will be more secure by using the new algorithms
+ * without updating the existing login.conf, this array is now scanned
+ * backwards. This could be reverted in the future when the deprecated
+ * functionality is removed.
how about using the more reliable approach proposed by magnum here? -
As you can see, he has even spent time to identify the specific 64-bit
magic values. Of course, you'll need to double-check them (such as by
applying the patch and testing logins to existing accounts with both
sha256 and sha512 on a 64-bit DragonFly system.)
There isn't a collision issue with $3$ and $4$ on DragonFly, so I don't
see any obvious need. I intend to rip the old code out after a few
releases, so the issue (if there is one) will be (relatively) short lived.