lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bb5d5d97c00e4c62a7b90a2fe852306d@BLUPR03MB166.namprd03.prod.outlook.com>
Date: Tue, 20 Aug 2013 20:14:03 +0000
From: Marsh Ray <maray@...rosoft.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Terminology goals

Dan Goodin - Why you should take hacked sites' password assurances with a grain of salt
http://arstechnica.com/security/2013/05/why-you-should-take-hacked-sites-password-assurances-with-a-grain-of-salt/

Thomas Ptacek (@tqbf) is known for saying "If you're salting your hashes, you're doing it wrong". By this he means you should be using [sb]crypt which performs salting intrinsically.

>From a recent breach disclosure (the actual org doesn't seem relevant):
"The security of your information is critically important to us, so we're really sorry to share that a portion of our North American account information was recently compromised.
What we know: usernames, email addresses, *salted password hashes*, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft."

The problem with the current terminology is that we don't know if there was any work factor applied. Thus we don't know if it was MD5(salt + password), which is only barely better than MD5(password) in practice.

Perhaps we can address this.

Since an authentication scheme for password-based credentials has a subtly different set of security properties than general hashing, message digesting, MACing, and even key derivation, we should strongly consider giving it a different name. The values derived from the generate function. For example, we could call it a "pash function" or "pash values", which you could think of as "Password Authentication ScHeme" or just "Password Hash".

I think it could be a great result of the PHC if, some years from now, such a breach disclosure from an organization using the PHC result would communicate a meaningful reassurance. Ideally people using the PHC result could use a phrase such as "PHC hashes" or "pashes", which would guarantee at least a baseline level of work factor.

Thoughts/comments?


-          Marsh

BCC: @tqbf


Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ