[Cryptography] The proper way to hash password files

[Bear]

On Thu, 2014-05-22 at 16:47 -0400, Jerry Leichter wrote:

> I'll repeat my (only partially facetious) suggestion:  Require that any
> company that maintains a password database have entries for
> pseudo-accounts with fixed, known names like "CEO Bank Account
> Password" and "CSO Retirement Account Password" contained the hashes -
> using exactly the same algorithm as used for the rest of the database -
> of that banking information.  If having the database stolen is going to
> be bad for all the customers, make sure it's *really, really, really
> bad* for those in a position to approve or reject efforts to make sure
> it's kept secure.

You're not going to sell them on that idea, but I've got one that 
seems like a much easier sell and a very simple good idea to me; 

Why not make 9/10 (or, heck, 99/100) of the entries in a password 
file correspond to fake accounts that simply ring an alarm and 
shut down access to the legit accounts from that file if their 
passwords are ever actually used?

It's still never a good thing for password files to be stolen, but
since no method of preventing the theft will be perfect, we should 
at the very least make the theft harder to exploit.