Moments after I posted the previous entry, I received notification that Ulrich Drepper has now published his new proposal[1] to add sha256 and sha512 to crypt. It includes a proposal to lengthen the salt to 16 and allow for the number of rounds to be optionally specified in the salt string. According to the specification, “The maximum length of a password string is therefore (excluding final NUL byte in the C representation):

SHA-256 80 characters
SHA-512 123 characters” [2]

So it looks like we might get a stronger algorithm for passwords widely adopted in the near future.

BTW, I saw this come through the gov-sec mailing list which is a mailing list for Linux adoption by U.S. government. [3]

[1]http://people.redhat.com/drepper/sha-crypt.html
[2]http://people.redhat.com/drepper/SHA-crypt.txt
[3]https://www.redhat.com/mailman/listinfo/gov-sec