[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] #warning -- DICE.COM insecure passwords

To: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] #warning -- DICE.COM insecure passwords
From: Travis Biehn <tbiehn@xxxxxxxxx>
Date: Tue, 12 Feb 2013 17:58:13 -0500

What Tim said. I think warning was writing about the public shame from
having a massive pw dump not having some neckbeard expose them over using
crypt on some random industry mailing list (shudders).

Here is a long article on secure password storage. It is extremely exciting:
http://www.cigital.com/justice-league-blog/2012/06/11/securing-password-digests-or-how-to-protect-lonely-unemployed-radio-listeners/

-Travis


On Tue, Feb 12, 2013 at 5:14 PM, Tim <tim-security@xxxxxxxxxxxxxxxxxxx>wrote:

> > That's assuming that they didn't do the risk analysis and decide that
> > the effort required to fix the problem (which will probably require,
> > among other things, having every single user change their password)
> > is worth the effort.  Given that so many places have gotten hacked and
> > pwned that the user community response is usually "Meh. Another one",
> > they may rightfully have concluded that risking public shaming is
> > in fact a good business decision...
>
>
> Here's a bit of pseudocode for you Valdis:
>
> for each user:
>   let user.new_hash = scrypt(user.old_crypt_hash)
>
> # now update authentication routine to use user.new_hash with new
> # nested hashing algorithm
>
>
> So really, there's actually not a good reason to keep a crappy hash
> database around.  Just add a layer of good salted hashing on top.
>
> With that said, the unusual quirk of crypt being limited to 7
> characters is an additional challenge, but you can start with the
> above steps (which immediately improves security), and then slowly
> transition to using scrypt alone or some variant that supports longer
> passwords.
>
> tim
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Twitter <https://twitter.com/tbiehn> |
LinkedIn<http://www.linkedin.com/in/travisbiehn>|
GitHub <http://github.com/tbiehn> | TravisBiehn.com<http://www.travisbiehn.com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] #warning -- DICE.COM insecure passwords
  - From: Jeffrey Walton

References:
- [Full-disclosure] #warning -- DICE.COM insecure passwords
  - From: warning
- Re: [Full-disclosure] #warning -- DICE.COM insecure passwords
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] #warning -- DICE.COM insecure passwords
  - From: Tim

Prev by Date: [Full-disclosure] Polycom HDX Telnet Authorization Bypass
Next by Date: Re: [Full-disclosure] #warning -- DICE.COM insecure passwords
Previous by thread: Re: [Full-disclosure] #warning -- DICE.COM insecure passwords
Next by thread: Re: [Full-disclosure] #warning -- DICE.COM insecure passwords
Index(es):
- Date
- Thread