| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Mar 2015 17:59:20 -0400
From: Justin Cappos <jcappos@....edu>
To: discussions <discussions@...sword-hashing.net>
Subject: Re: [PHC] Re: Password hashing by itself is not enough
>
> While I am a fan of PolyPass, it provides different security than a master
> secret. If a small number of passwords is need, like 3, then an attacker
> only needs to create 3 shill accounts before stealing the password DB.
>
Sure, but the system should be configured so that accounts that can be
automatically created do not protect the secret. I agree that PPH
basically devolves to the strength of the secure salted hash in the case an
attacker can create as many shills (that are protector accounts) as they
like. Easily obtainable accounts must be shielded accounts (which don't
impact the key's security), not protector accounts.
So, PPH makes a DB harder to crack, but the added strength depends on how
easy it is for an attacker to obtain the passwords for many protector
accounts.
Thanks,
Justin
Content of type "text/html" skipped
Powered by blists - more mailing lists