lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: avalon at caligula.anu.edu.au (Darren Reed)
Subject: Re: IRCXpro 1.0 - Clear local and default remote admin passwords

In some mail from tido@...hmail.com, sie said:
> 
> 
> Unless i am missing something, the addition of a "hard-key" would not
> be any better than a stored password.
> 
> If you authorize the machine, or a piece of hardware plugged into the
> machine does not make a difference.
> 
> What keeps another process/user/root/admin from requesting the
> password/authorization from the hard-key?
> (possibly a password that has to be entered by an admin?
>  and the cycle continues)

Ideally what you do is give the encrypted contents to the external
device that has the secret key in its memory, protected from the
computer and get returned decrytpted contents.

Like, for example, the USB Rainbow iKey device I have.
When used with old versions of Netscape, encrypted email etc., is
all handled by the dongle, not the computer.  This is generally
not suitable for HTTPS, but instead you can apply network connected
web accellerators.

However none of this has anything to do with validating the
auethenticity of a user.  As someone mentioned, use a one way
hash function with a seed for this.

Darren

Powered by blists - more mailing lists