lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 Mar 2014 10:26:20 +0100
From: Christian Forler <christian.forler@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Transforming hash to different cost setting

On 22.03.2014 12:04, Krisztián Pintér wrote:
> 
> Christian Forler (at Saturday, March 22, 2014, 11:17:34 AM):
> 
>> Companies will accept a transparency no-effort solution which improves
>> the password hash security of their users. The will not delete old user
>> data.
> 
> you keep mentioning deletion of user data. i restate that i was
> talking about deleting password, not data. when the user comes back
> after like a year of inactivity, he will simply be told that his
> password was deleted for security reasons, and now he needs to go
> through the usual forgotten password routine. users can also be
> notified that in order to avoid this minor annoyance, they have to log
> in at least every 6 months. that is not of anybody's concern. this
> won't set your business back.


First of all, I do 100% agree with you on this topic. If you are abel to
"delete" password hashes of inactive users then do it.


But for many sales, controlling or management people, a password hash is
a part of the costumer record. Those people fear that deleting a
password hash would lead to a bad user experience, and user experience
is much more important then security.

In the last years, we have learned that even IT companies like Yahoo or
RockYou do no even hash their user user passwords (sic!).

I repeat, they do NOT hash user passwords. This is the reality. Do you
really think that such companies do even remotely thinking about
deleting password hashes of inactive users?

IMHO we do need web frameworks and userDBs with good default
configurations to protect our passwords. I'm just worried  about the
acceptance of solutions which do automatically delete password hashes
(part of a user record) of inactive users.

Best regards,
Christian









Download attachment "signature.asc" of type "application/pgp-signature" (535 bytes)

Powered by blists - more mailing lists