[email protected]
[Top] [All Lists]

Re: At what layer to hash a password

Subject: Re: At what layer to hash a password
From: Robin Wood
Date: Mon, 28 Jun 2010 15:17:09 +0100
On 28 June 2010 09:55, Grega Bremec <gregab@xxxxxxx> wrote:
> On Sat, 2010-06-26 at 07:13 -0400, Tom Ritter wrote:
>> You covered several of the arguments: the password moving down the
>> stacks and being intercepted there, the maintainability.
>> But there's two more things I'd raise.  First off, you really shouldn't
>> be hashing your passwords.  It's better to use something I don't know
>> the correct term for (I've heard adaptive hashing and iterative hashing.
>>  I usually just call them by name).
> I agree on not hashing.
> Short of mentioning encryption in the transport layer (which is a must
> in any such scenario), by far the most secure method involving passwords
> known to me would be a challenge/response mechanism which completely
> eliminates the need to transfer any kind of sensitive information over
> the wire.
> If the client produces the right token, the response to the challenge
> will be identical to the one that the server calculated based on the PSK
> at hand and the authentication can be thought of successful.

Nice once the PSK has been shared but when the user enters a password
for the first time you still have to protect it. I prefer systems
where I send out random passwords so can handle this kind of thing but
unfortunately a lot of clients, despite attempted education, prefer to
be able to let users enter their own passwords.


This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

<Prev in Thread] Current Thread [Next in Thread>