Security Basics mailing list archives
Re: SQL Storing Passwords?
From: Davin Enigl <davinenigl () comcast net>
Date: Wed, 05 Sep 2012 06:46:18 -0700
It's hard to say if that "key" field is really a key, a salt or just a SHA-1 160-bit hash of the password. Some HSM are not too expensive: Yubico has a $500 HSM encryption system - I recommend it be used as Jeffrey Walton suggests or as a second corporate salt as I suggested. Old news: SANS newsletter reported SHA-1 hashes were cracked for Linkedin for weak "human-generated" passwords. Random-generated (C-PRNG) passwords were not cracked. There is a lesson here. Randomise your password-creations as well as hash and double salt. I hope they switch to SHA-2-256 with a 128-bit or larger salt. Passwords are dead to me. I use two-factor and Yubikey tokens. On 09/04/2012 11:38 AM, Jeffrey Walton wrote:
Sorry to play language lawyer here.... Gatuam said "Key", not "Salt":
"...so the hashing is done like this SSHA('mypassword','key')"
Keys are private parameters and salts are public parameters. If you
want to treat a salt as a key, it needs to be appropriately protected.
I was recently reading a paper from John Steven of Cigital and OWASP
on Password Security. His threat models required the use both keys and
salts. For organizations that have the resources, the key goes in an
HSM (unlikely in a Mom-and-Pop shop).
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: SQL Storing Passwords? Gautam (Sep 04)
- Re: SQL Storing Passwords? Alexander Meesters (Sep 04)
- Re: SQL Storing Passwords? khushal201301 (Sep 04)
- Re: SQL Storing Passwords? Davin Enigl (Sep 04)
- Re: SQL Storing Passwords? Jeffrey Walton (Sep 04)
- Re: SQL Storing Passwords? Davin Enigl (Sep 05)
- Re: SQL Storing Passwords? Alexander Meesters (Sep 04)