WebApp Sec mailing list archives
Re: At what layer to hash a password
From: Tom Ritter <tom () ritter vg>
Date: Sat, 26 Jun 2010 07:13:13 -0400
You covered several of the arguments: the password moving down the stacks and being intercepted there, the maintainability. But there's two more things I'd raise. First off, you really shouldn't be hashing your passwords. It's better to use something I don't know the correct term for (I've heard adaptive hashing and iterative hashing. I usually just call them by name). The two things to read are "Enough with the Rainbow Tables: What you need to know about Secure Password Schemes" [1] which covers bcrypt and Colin Percival's new algorithm scrypt [2]. These are hashes, but they're not your standard SHA-2 fare. These protocols are not able to be run natively in any database I know of. Additionally, at least at my office, our database is by far the busiest machine we have - so moving CPU-intensive work (like calculating geographic intersections) off it is always a win for us. -tom [1] http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html [2] http://www.daemonology.net/blog/2009-05-09-scrypt-key-derivation.html This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- At what layer to hash a password Robin Wood (Jun 26)
- Re: At what layer to hash a password Chris Travers (Jun 28)
- Re: At what layer to hash a password Javier Bassi (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)
- RE: At what layer to hash a password Dave Wichers (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re: At what layer to hash a password Tom Ritter (Jun 28)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re:Re: At what layer to hash a password 薛 (Jun 29)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- RE: At what layer to hash a password Niels Teusink (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)