Re: At what layer to hash a password

[Robin Wood <robin () digininja org>]

On 28 June 2010 09:55, Grega Bremec <gregab () p0f net> wrote:
> On Sat, 2010-06-26 at 07:13 -0400, Tom Ritter wrote:
> > You covered several of the arguments: the password moving down the
> > stacks and being intercepted there, the maintainability.
> >
> > But there's two more things I'd raise.  First off, you really shouldn't
> > be hashing your passwords.  It's better to use something I don't know
> > the correct term for (I've heard adaptive hashing and iterative hashing.
> >  I usually just call them by name).
>
> I agree on not hashing.
>
> Short of mentioning encryption in the transport layer (which is a must
> in any such scenario), by far the most secure method involving passwords
> known to me would be a challenge/response mechanism which completely
> eliminates the need to transfer any kind of sensitive information over
> the wire.
>
> If the client produces the right token, the response to the challenge
> will be identical to the one that the server calculated based on the PSK
> at hand and the authentication can be thought of successful.

Nice once the PSK has been shared but when the user enters a password
for the first time you still have to protect it. I prefer systems
where I send out random passwords so can handle this kind of thing but
unfortunately a lot of clients, despite attempted education, prefer to
be able to let users enter their own passwords.

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------