[jdev] plaintext passwords hack
Kurt Zeilenga
Kurt.Zeilenga at Isode.com
Wed Dec 16 18:43:04 CST 2009
On Dec 16, 2009, at 4:17 PM, Tobias Markmann wrote:
> On 17.12.09 00:56, Peter Saint-Andre wrote:
>> And even if you do have hashed passwords, if someone breaks into your
>> machine then it's not that much work to de-hash them all. It just looks
>> scarier if they're in cleartext to start with.
>>
> That more or less depends on what you store in your authentication
> database. Considering SCRAM for example which has been designed to
> address the issue of clear text password ([1] Point 3) you'd ideally
> store the SaltedPassword, the salt and the iteration count for your
> users in the authentication database.
> Since SaltedPassword is generated like using Hi(hmac_sha1, password,
> salt, iteration_count) even if you had the database with all the
> SaltedPasswords you'd need brute force to find out the clear text
> passwords which can take quite some time considering the variable
> iteration count.
Computing power on the black market is quite cheap.
-- Kurt
More information about the JDev
mailing list