lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-id: <AABB493B-6A20-48AC-97B6-3DF6D4F23B26@mac.com>
Date: Tue, 20 Aug 2013 23:06:44 -0700
From: Larry Bugbee <bugbee@....com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Terminology goals


On Aug 20, 2013, at 7:41 PM, Peter Maxwell wrote:

> The other thing that came to mind from Marsh's original post concerned the other data that services often store alongside the password, e.g. personal data and the "forget password" question & answer.  I know this is out of scope but it probably deserves discussion at some point as it's all very well for us to solve the password hash problem but if the "forget password" answers are stored in plaintext we've not done much (and many email accounts are compromised by that very route). 

At first blush the same algorithm used to hash passwords could be used to hash "forget password" answers.  

...unless you want the help desk to have access.  ...which now becomes an encryption problem?  Ugh!



Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ