Re: Saving and Encoding Passwords

[kilgallen@eisner.decus.org (Larry Kilgallen)]

In article <87hfi6q4k4.fsf@deneb.cygnus.argh.org>, " "@deneb.cygnus.argh.org (Florian Weimer) writes:
> kilgallen@eisner.decus.org (Larry Kilgallen) writes:
> 
>> In article <87u2m8exf8.fsf@deneb.cygnus.argh.org>, Florian Weimer <fw@s.netic.de> writes:
>> 
>> > It is considered close to impossible to recover the password from
>> > the hash value if the cryptographic hash function is one of the most
>> > commonly used and thoroughly analyzed (i.e. MD5 or SHA-1).
>> 
>> But that consideration is only of interest to mathematicians.
> 
> Eh, maybe. ;)
> 
>> Security folk realize that passwords freely chosen by humans
>> are highly susceptible to brute force guessing attacks.  The
>> common defenses are:
>> 
>> 	Include a secret per-user pseudo-random seed number
>> 	in the hash, to prevent pre-computation of hashes for
>> 	a particular username.
> 
> There's no such thing like a `secret per-user pseudo-random seed number'.
> The application needs to know it in order to verify the password,
> which means it can't that secret.  Of course, a password salt will
> tremendously increase the size of a precomputed dictionary without much
> effort on the application programmer's side.

Keeping secrets is just one reason why we have operating systems.
Any operating system smart enough to keep the hash result secret
can keep the seed secret.

If you don't like "operating system", try "protected subsystem"
where the trusted code (and for a mail system, this _is_ part
of the TCB) has the only access to the seed.

Larry Kilgallen