Our password hashing has no clothes

Discussion in 'other security issues & news' started by Melf, Jun 25, 2012.

Thread Status:
Not open for further replies.
  1. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Our password hashing has no clothes

    Interesting write-up, basically saying that current server-side password protection techniques are useless because

    a) People all choose non-unique passwords, and the most common bajillion or so passwords that people use are already known and stored in a database from previous attacks
    b) Crypto hashing algorithms are really fast, but they don't need to be nearly so fast

    The only things us users can do to protect ourselves is use
    a) Really long passwords
    b) Completely non-predictable passwords

    i.e. use a password manager that can generate long, random strings of gobblygook.

    I wonder also why web developers don't use some pseudo-proprietary algorithm to create passwords so that it's not something stock standard that comes bundled with password cracking programs...
     
    Last edited: Jun 27, 2012
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    All you need is PBKDF2. The author of that article mistankenly called PBKDF2 a hashing algorithm, but it's not. It is in fact a key-stretching scheme that can utilize any hash function. Truecrypt uses it. Dm-crypt/LUKS on Linux uses it. Hopefully most web based password databses use it. If not, they should.

    And crypto hashing algorithms are designed to be fast. The SHA-3 competition is going on right now, and speed and efficiency is one of the main features that NIST is looking for. You want speed in your hash algorithms in almost every case *except* for password hashing. But, again, that's why PBKDF2 was devised.
     
Loading...
Thread Status:
Not open for further replies.