From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,2ea9abfbe071a56f
X-Google-Attributes: gid103376,public
From: kilgallen@eisner.decus.org (Larry Kilgallen)
Subject: Re: Saving and Encoding Passwords
Date: 1999/11/27
Message-ID: <1999Nov27.093947.1@eisner>#1/1
X-Deja-AN: 553656972
References: <38315e1a.0@silver.truman.edu>
 <87u2m8exf8.fsf@deneb.cygnus.argh.org>
X-Trace: news.decus.org 943713589 5748 KILGALLEN [216.44.122.34]
Organization: LJK Software
Reply-To: Kilgallen@eisner.decus.org.nospam
Newsgroups: comp.lang.ada
Date: 1999-11-27T00:00:00+00:00
List-Id: <comp.lang.ada>

In article <87u2m8exf8.fsf@deneb.cygnus.argh.org>, Florian Weimer <fw@s.netic.de> writes:

> It is considered close to impossible to recover the password from
> the hash value if the cryptographic hash function is one of the most
> commonly used and thoroughly analyzed (i.e. MD5 or SHA-1).

But that consideration is only of interest to mathematicians.

Security folk realize that passwords freely chosen by humans
are highly susceptible to brute force guessing attacks.  The
common defenses are:

	Include a secret per-user pseudo-random seed number
	in the hash, to prevent pre-computation of hashes for
	a particular username.

	Enforce rules regarding password choice that effectively
	prevent the use of dictionary words (e.g., punctuation
	and numeric characters required).

Larry Kilgallen