WebApp Sec mailing list archives
Re: At what layer to hash a password
From: Grega Bremec <gregab () p0f net>
Date: Mon, 28 Jun 2010 10:55:04 +0200
On Sat, 2010-06-26 at 07:13 -0400, Tom Ritter wrote:
You covered several of the arguments: the password moving down the stacks and being intercepted there, the maintainability. But there's two more things I'd raise. First off, you really shouldn't be hashing your passwords. It's better to use something I don't know the correct term for (I've heard adaptive hashing and iterative hashing. I usually just call them by name).
I agree on not hashing. Short of mentioning encryption in the transport layer (which is a must in any such scenario), by far the most secure method involving passwords known to me would be a challenge/response mechanism which completely eliminates the need to transfer any kind of sensitive information over the wire. If the client produces the right token, the response to the challenge will be identical to the one that the server calculated based on the PSK at hand and the authentication can be thought of successful. Regards, -- Grega Bremec gregab at p0f dot net
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- At what layer to hash a password Robin Wood (Jun 26)
- Re: At what layer to hash a password Chris Travers (Jun 28)
- Re: At what layer to hash a password Javier Bassi (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)
- RE: At what layer to hash a password Dave Wichers (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re: At what layer to hash a password Tom Ritter (Jun 28)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re:Re: At what layer to hash a password 薛 (Jun 29)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- RE: At what layer to hash a password Niels Teusink (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)