[LINK] Why passwords have never been weaker—and crackers have never been stronger

[Rick Welykochy]

Kim Holburn wrote:

> http://arstechnica.com/security/2012/08/passwords-under-assault/
>
>> Why passwords have never been weaker—and crackers have never been stronger
>> Thanks to real-world data, the keys to your digital kingdom are under assault.

Since it is pretty evident that mere mortals are never going to select
uncrackable passwords, and who can blame them, let's look what the
admins and programmers can do on the server side.

Password cracking is practically infinitely more difficult when a
password hash is "salted", as mentioned in pages 3 and 4 of the article.

Rainbow tables are useless with a password salted with 32 random bits.

Salting has been used by Unix for, oh, at least 25 years. I think Mickeysoft
finally figured the same thing out after Windows XP and NT.

The other improvement is to use the best hashing algorithms currenty
available, which would be SHA256/512 or better.

As the article observes, neither of salting or secure hashing are being
used by some pretty big players on the web. Many simply store the insecure
MD5 hash, unsalted. Voila. Rainbow tables make mincemeat of such a scheme
in seconds.

Let's lay the blame on those who can make the difference: those implementing
the security of the password store. The user can hardly be blamed when
even large corporations cannot get it right.

cheers
rickw




-- 
------------------------------------
Rick Welykochy || Vitendo Consulting

A dyslexic man walks into a bra.