In the wake of a series of very high-profile password leaks, Brian Krebs talks to security researcher Thomas H. Ptacek about the best practices for securing passwords. The trick isn't to merely hash with a good salt -- you must use a slow password hash that takes a lot of work, so that making rainbow tables is impractical.
Ptacek: The difference between a cryptographic hash and a password storage hash is that a cryptographic hash is designed to be very, very fast. And it has to be because it’s designed to be used in things like IP-sec. On a packet-by-packet basis, every time a packet hits an Ethernet card, these are things that have to run fast enough to add no discernible latencies to traffic going through Internet routers and things like that. And so the core design goal for cryptographic hashes is to make them lightning fast.
Well, that’s the opposite of what you want with a password hash. You want a password hash to be very slow. The reason for that is a normal user logs in once or twice a day if that — maybe they mistype their password, and have to log in twice or whatever. But in most cases, there are very few interactions the normal user has with a web site with a password hash. Very little of the overhead in running a Web application comes from your password hashing. But if you think about what an attacker has to do, they have a file full of hashes, and they have to try zillions of password combinations against every one of those hashes. For them, if you make a password hash take longer, that’s murder on them.
So, if you use a modern password hash — even if you are hardware accelerated, even if you designed your own circuits to do password hashing, there are modern, secure password hashes that would take hundreds or thousands of years to test passwords on.
The problem is that you really need to make this design decision from the start -- it's hard to retrofit once you've got millions of users.
How Companies Can Beef Up Password Security
Ethan Zuckerman — formerly of Global Voices, now at the MIT Center for Civic Media — has spent his career trying to find thoughtful, effective ways to use technology as a lever to make positive social change (previously), but that means that he also spends a lot of time in the company of people making […]
Earlier this month, I gave the afternoon keynote at the Internet Archive’s Decentralized Web Summit, and my talk was about how the people who founded the web with the idea of having an open, decentralized system ended up building a system that is increasingly monopolized by a few companies — and how we can prevent the same things from happening next time.
At this week’s O’Reilly Velocity conference in Santa Clara, Artur Bergman, founder and CTO, told the story of how he got involved in starting a denial-of-service-resistant CDN — a personal story about helping his old company cope with a titanic DDoS attack that brought it and its upstream provider to their knees.
If you want a quality vaping experience, it’s usually going to cost you. Vaporizers that deliver a fast, controlled burn will set you back up to $300, which is why the FEZ Vaporizer (now just $99) is an absolute steal.The FEZ dry herb pen does everything that more expensive models handle at a reduced price. It heats up […]
Taking pictures can be challenging. There are a million factors that can influence each shot you take – and unless you’re a trained photographer, you often just focus, click…and cross your fingers.Of course, you can take some of the ambiguity out of your picture-taking with this Hollywood Art Institute Photography Course & Certification package, now […]
Experienced shutterbugs with DSLR cameras have boatloads of lens options for capturing the moment. Unfortunately, smartphone photographers often get stuck with their one crummy lens, which means limited zoom and focus for their final image.Step up your smartphone’s photographic power with the Acesori 5-Piece Smartphone Camera Lens Kit, now just $9.99 in the Boing Boing Store.Magnetic rings easily […]