In the wake of a series of very high-profile password leaks, Brian Krebs talks to security researcher Thomas H. Ptacek about the best practices for securing passwords. The trick isn't to merely hash with a good salt -- you must use a slow password hash that takes a lot of work, so that making rainbow tables is impractical.
Ptacek: The difference between a cryptographic hash and a password storage hash is that a cryptographic hash is designed to be very, very fast. And it has to be because it’s designed to be used in things like IP-sec. On a packet-by-packet basis, every time a packet hits an Ethernet card, these are things that have to run fast enough to add no discernible latencies to traffic going through Internet routers and things like that. And so the core design goal for cryptographic hashes is to make them lightning fast.
Well, that’s the opposite of what you want with a password hash. You want a password hash to be very slow. The reason for that is a normal user logs in once or twice a day if that — maybe they mistype their password, and have to log in twice or whatever. But in most cases, there are very few interactions the normal user has with a web site with a password hash. Very little of the overhead in running a Web application comes from your password hashing. But if you think about what an attacker has to do, they have a file full of hashes, and they have to try zillions of password combinations against every one of those hashes. For them, if you make a password hash take longer, that’s murder on them.
So, if you use a modern password hash — even if you are hardware accelerated, even if you designed your own circuits to do password hashing, there are modern, secure password hashes that would take hundreds or thousands of years to test passwords on.
The problem is that you really need to make this design decision from the start -- it's hard to retrofit once you've got millions of users.
How Companies Can Beef Up Password Security
Though the October polls that predicted a great showing for the Pirate Party in the Icelandic elections turned out to be wrong, that election did end with a deeply divided parliament that has been unable to find enough common ground upon which to form a new government.
The University of Toronto’s Citizen Lab (previously) continues its excellent work, this time with a deep investigative piece on a sneaky form of censorship in China’s popular We Chat service, where messages posted to group chats that contain words on a government blacklist are made invisible to other participants in the chat, while the original […]
Deji writes, “Gambia is a small country but this story is pretty crazy. The president, who is seeking his 6th term, is using Trump rhetoric surrounding the ‘rigging of elections.’ People are voting by using marbles. Meanwhile, opposition activists and journalists have been arrested — and the government STILL shut off the internet. It seems […]
Loot Crate is a totally different kind of subscription service that mails subscribers monthly boxes filled with curated geek, pop culture, and gamer paraphernalia. Its cult following awaits a box every month filled with everything from bobble heads to T-shirts to special edition collectibles. But nothing gets Loot Crate fans as excited as the limited […]
The ARMOR-X Mini Flexible Phone Tripod is a smartphone tripod that is designed with flexible legs to rest on virtually any type of surface. Other tripods have proved useless unless I conveniently have a flat surface in front of me, which is why this particular tripod was appealing enough to try out. The ARMOR-X is compact and easy […]
You don’t need to get an advanced degree and take out massive loans to become a coder. This bundle of 10 courses was designed to teach anyone to code at home for less than it costs to go out for dinner. I was particularly impressed with this new 2017 bundle because it includes courses on […]