nanog mailing list archives
Re: Password storage (was Re: gmail security is a joke)
From: shawn wilson <ag4ve.us () gmail com>
Date: Thu, 28 May 2015 16:36:45 -0400
On May 28, 2015 10:11 AM, "Christopher Morrow" <morrowc.lists () gmail com> wrote:
On Thu, May 28, 2015 at 5:29 AM, Robert Kisteleki <robert () ripe net> wrote:Bcrypt or PBKDF2 with random salts per password is really what anyone storing passwords should be using today.
One thing to remember is the hardware determines number of rounds. So while my LUKS (PBKDF2) pass on my laptop or servers have a few 10k rounds, that same pass on a Pi or so would only have 1k rounds (minimum rec).
I get the feeling that, along with things like 'email address verification' in javascript form things, passwd storage and management is something done via a few (or a bunch of crappy home-grown) code bases.
Not generally passwords per se but session tokens and the like, sure (almost as bad).
Seems like 'find the common/most-used' ones and fix them would get some mileage? I don't imagine that 'dlink' (for example) is big on following rfc stuff for their web-interface programming? (well, at least for things like 'how should we store passwds?')
Heh, I started on a fuzzer that'd take a few strings and run them through recipes (base 32/64, rot, xor 1 or 0, etc) and try to find human strings along the way. If multiple strings match a recipe, you can generate your own sessions.
Current thread:
- Re: gmail security is a joke, (continued)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke William Herrin (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke Rich Kulawiec (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke Peter Beckman (May 27)
- RE: gmail security is a joke John Souvestre (May 27)
- Re: gmail security is a joke Jimmy Hess (May 27)
- Password storage (was Re: gmail security is a joke) Robert Kisteleki (May 28)
- Re: Password storage (was Re: gmail security is a joke) Christopher Morrow (May 28)
- Re: Password storage (was Re: gmail security is a joke) shawn wilson (May 28)
- Re: Password storage (was Re: gmail security is a joke) Michael Thomas (May 28)
- Re: gmail security is a joke Saku Ytti (May 26)
- Re: gmail security is a joke Valdis . Kletnieks (May 26)
- Re: gmail security is a joke Christopher Morrow (May 26)
- Re: gmail security is a joke Mark Andrews (May 26)
- Re: gmail security is a joke Owen DeLong (May 27)
- Re: gmail security is a joke Joe Abley (May 27)
- Re: gmail security is a joke Saku Ytti (May 27)
- Re: gmail security is a joke Joel Maslak (May 27)
- Re: gmail security is a joke Rafael Possamai (May 27)