lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Mar 2015 17:59:20 -0400
From: Justin Cappos <jcappos@....edu>
To: discussions <discussions@...sword-hashing.net>
Subject: Re: [PHC] Re: Password hashing by itself is not enough

>
> While I am a fan of PolyPass, it provides different security than a master
> secret.  If a small number of passwords is need, like 3, then an attacker
> only needs to create 3 shill accounts before stealing the password DB.
>

Sure, but the system should be configured so that accounts that can be
automatically created do not protect the secret.  I agree that PPH
basically devolves to the strength of the secure salted hash in the case an
attacker can create as many shills (that are protector accounts) as they
like.  Easily obtainable accounts must be shielded accounts (which don't
impact the key's security), not protector accounts.

So, PPH makes a DB harder to crack, but the added strength depends on how
easy it is for an attacker to obtain the passwords for many protector
accounts.

Thanks,
Justin

Content of type "text/html" skipped

Powered by blists - more mailing lists