lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 May 2014 17:17:01 +0200
From: Yann Droneaud <>
To: Phillip Hallam-Baker <>
Cc: "" <>,
Subject: Re: [Cryptography] The proper way to hash password files

Le jeudi 22 mai 2014 à 13:09 -0400, Phillip Hallam-Baker a écrit :
> Lots of sackcloth and ashes as EBay loses a password file.
> It occurs to me that most of the time, machines do password files
> wrong. Rather than using a salted hash, a better approach would be to
> use a MAC with a randomly chosen key that is never disclosed.
> Now this seems obvious but I can't recall ever seeing code set up to
> do the job this way...

The proper way to hash passwords is at

(or someone was late to submit her proposal !)


Yann Droneaud

Powered by blists - more mailing lists