lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 May 2014 17:17:01 +0200
From: Yann Droneaud <ydroneaud@...eya.com>
To: Phillip Hallam-Baker <phill@...lambaker.com>
Cc: "cryptography@...zdowd.com" <cryptography@...zdowd.com>, 
	discussions@...sword-hashing.net
Subject: Re: [Cryptography] The proper way to hash password files

Le jeudi 22 mai 2014 à 13:09 -0400, Phillip Hallam-Baker a écrit :
> Lots of sackcloth and ashes as EBay loses a password file.
> 
> It occurs to me that most of the time, machines do password files
> wrong. Rather than using a salted hash, a better approach would be to
> use a MAC with a randomly chosen key that is never disclosed.
> 
> Now this seems obvious but I can't recall ever seeing code set up to
> do the job this way...

The proper way to hash passwords is at https://password-hashing.net/

(or someone was late to submit her proposal !)

Regards.

-- 
Yann Droneaud
OPTEYA


Powered by blists - more mailing lists