WebApp Sec mailing list archives
Re: At what layer to hash a password
From: Robin Wood <robin () digininja org>
Date: Mon, 28 Jun 2010 15:17:09 +0100
On 28 June 2010 09:55, Grega Bremec <gregab () p0f net> wrote:
On Sat, 2010-06-26 at 07:13 -0400, Tom Ritter wrote:You covered several of the arguments: the password moving down the stacks and being intercepted there, the maintainability. But there's two more things I'd raise. First off, you really shouldn't be hashing your passwords. It's better to use something I don't know the correct term for (I've heard adaptive hashing and iterative hashing. I usually just call them by name).I agree on not hashing. Short of mentioning encryption in the transport layer (which is a must in any such scenario), by far the most secure method involving passwords known to me would be a challenge/response mechanism which completely eliminates the need to transfer any kind of sensitive information over the wire. If the client produces the right token, the response to the challenge will be identical to the one that the server calculated based on the PSK at hand and the authentication can be thought of successful.
Nice once the PSK has been shared but when the user enters a password for the first time you still have to protect it. I prefer systems where I send out random passwords so can handle this kind of thing but unfortunately a lot of clients, despite attempted education, prefer to be able to let users enter their own passwords. Robin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- At what layer to hash a password Robin Wood (Jun 26)
- Re: At what layer to hash a password Chris Travers (Jun 28)
- Re: At what layer to hash a password Javier Bassi (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)
- RE: At what layer to hash a password Dave Wichers (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re: At what layer to hash a password Tom Ritter (Jun 28)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re:Re: At what layer to hash a password 薛 (Jun 29)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- RE: At what layer to hash a password Niels Teusink (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)