| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1401117421.18997.2.camel@localhost.localdomain> Date: Mon, 26 May 2014 17:17:01 +0200 From: Yann Droneaud <ydroneaud@...eya.com> To: Phillip Hallam-Baker <phill@...lambaker.com> Cc: "cryptography@...zdowd.com" <cryptography@...zdowd.com>, discussions@...sword-hashing.net Subject: Re: [Cryptography] The proper way to hash password files Le jeudi 22 mai 2014 à 13:09 -0400, Phillip Hallam-Baker a écrit : > Lots of sackcloth and ashes as EBay loses a password file. > > It occurs to me that most of the time, machines do password files > wrong. Rather than using a salted hash, a better approach would be to > use a MAC with a randomly chosen key that is never disclosed. > > Now this seems obvious but I can't recall ever seeing code set up to > do the job this way... The proper way to hash passwords is at https://password-hashing.net/ (or someone was late to submit her proposal !) Regards. -- Yann Droneaud OPTEYA
Powered by blists - more mailing lists