[jdev] plaintext passwords hack
Tobias Markmann
tmarkmann at googlemail.com
Wed Dec 16 18:17:42 CST 2009
On 17.12.09 00:56, Peter Saint-Andre wrote:
> And even if you do have hashed passwords, if someone breaks into your
> machine then it's not that much work to de-hash them all. It just looks
> scarier if they're in cleartext to start with.
>
That more or less depends on what you store in your authentication
database. Considering SCRAM for example which has been designed to
address the issue of clear text password ([1] Point 3) you'd ideally
store the SaltedPassword, the salt and the iteration count for your
users in the authentication database.
Since SaltedPassword is generated like using Hi(hmac_sha1, password,
salt, iteration_count) even if you had the database with all the
SaltedPasswords you'd need brute force to find out the clear text
passwords which can take quite some time considering the variable
iteration count.
Cheers,
Tobias
[1] http://tools.ietf.org/html/draft-ietf-sasl-scram-10#page-31
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6684 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20091217/fe9e2f36/attachment.bin>
More information about the JDev
mailing list