From: kilgallen@eisner.decus.org (Larry Kilgallen)
Subject: Re: Saving and Encoding Passwords
Date: 1999/11/27
Date: 1999-11-27T00:00:00+00:00 [thread overview]
Message-ID: <1999Nov27.093947.1@eisner> (raw)
In-Reply-To: 87u2m8exf8.fsf@deneb.cygnus.argh.org
In article <87u2m8exf8.fsf@deneb.cygnus.argh.org>, Florian Weimer <fw@s.netic.de> writes:
> It is considered close to impossible to recover the password from
> the hash value if the cryptographic hash function is one of the most
> commonly used and thoroughly analyzed (i.e. MD5 or SHA-1).
But that consideration is only of interest to mathematicians.
Security folk realize that passwords freely chosen by humans
are highly susceptible to brute force guessing attacks. The
common defenses are:
Include a secret per-user pseudo-random seed number
in the hash, to prevent pre-computation of hashes for
a particular username.
Enforce rules regarding password choice that effectively
prevent the use of dictionary words (e.g., punctuation
and numeric characters required).
Larry Kilgallen
next prev parent reply other threads:[~1999-11-27 0:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
1999-11-16 0:00 Saving and Encoding Passwords Josh Highley
1999-11-17 0:00 ` Ted Dennison
1999-11-17 0:00 ` Josh Highley
1999-11-17 0:00 ` Gisle S�lensminde
1999-11-26 0:00 ` Florian Weimer
1999-11-27 0:00 ` Larry Kilgallen [this message]
1999-11-28 0:00 ` Florian Weimer
1999-11-28 0:00 ` Larry Kilgallen
1999-11-29 0:00 ` Samuel T. Harris
1999-12-01 0:00 ` Robert I. Eachus
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox