[colug-432] password survey

Rob Funk rfunk at funknet.net
Fri May 23 19:38:18 EDT 2014


On Friday, May 23, 2014 09:57:39 AM Rob Funk wrote:
> Scott McCarty wrote:
> > Personally, I do not consider hashing of any kind secure because it
> > is plausible to crack some of the passwords. Worse, it's a moving
> > target with ASICs and video cards cracking faster, and faster. I am
> > not trying to preach, but prefer keys, and session encryption for
> > anything production. By very nature, keys are two factor and revocable.

One more thing on this one: With keys, the server software needs access to 
the key, which means that anyone who can crack that software gets the key 
and therefore all the plaintext passwords. With hashes, the server software 
only gets access to individual plaintext passwords long enough to hash them, 
so there's no way to lose everything in one fell swoop.


> The problem with using symmetric encryption for passwords is that each
> account now has two ways of getting in: knowing/cracking the password,
> and knowing/cracking the encryption key. And unlike with hashing, if
> that encryption key is stolen then everyone's passwords are exposed.
> Generally it's not considered a good idea for anyone to get access to
> plaintext passwords. (Authentication protocols that involve passing
> the hashed password across the wire complicate things though, since
> the protocol does need access to the plaintext password.)

-- 
Rob Funk
http://funknet.net/rfunk



More information about the colug-432 mailing list