lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <39697022.20150424181258@gmail.com> Date: Fri, 24 Apr 2015 18:12:58 +0200 From: Krisztián Pintér <pinterkr@...il.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Client-side hashing (was side-channel stuff) Sascha Schmidt (at Friday, April 24, 2015, 5:01:37 PM): > Taking client-independent updates out of the equations seems reckless > in most scenarios. You would basically put an expiration date on the > password hashes. expiration yes, but it is not reckless. it is merely an inconvenience. and we are not talking about months here. we are talking about years. so the downside is passwords will expire after a year or two, and the user must proceed with the forgotten password routine. i don't think it is that bad.
Powered by blists - more mailing lists