SHA245, SHA512 rounds are too low

[MilanKral]

The default number of SHA245, SHA512 iterations is 5000.
#define ROUNDS_DEFAULT 5000

This is too low to be considered secure again even moderate GPU, ASIC attacks.
Please increase the default number to 100000

A modern desktop computer can compute 10 000 000 SHA256 iterations in about 5 seconds

[zackw]

I keep forgetting to get back to you about this, sorry.

You're quite correct that the default rounds settings for SHAxxx hashes (and several others) are too low. However, we cannot change ROUNDS_DEFAULT because that would change the interpretation of existing hashed passphrases: $5$saltstring$... must continue to be processed with 5000 rounds. Also, new defaults will need to depend on what hardware is actually available; 100,000 SHA256 iterations would be fine on a "modern desktop computer" but might make logins unacceptably slow on embedded devices, for instance.

There is a plan to make the rounds defaults used by crypt_gensalt runtime-configurable, see #4 and #26. Unfortunately I do not expect to have time to work on this in the near future.

I'm going to leave this bug open and mark it 'help wanted' but people who are interested in helping should come to #26.