[Cryptography] The proper way to hash password files
Pawel Veselov
pawel.veselov at gmail.com
Sat May 24 00:07:23 EDT 2014
On Fri, May 23, 2014 at 3:00 PM, Jerry Leichter <leichter at lrw.com> wrote:
> On May 23, 2014, at 4:56 PM, Bear <bear at sonic.net> wrote:
> > Why not make 9/10 (or, heck, 99/100) of the entries in a password
> > file correspond to fake accounts that simply ring an alarm and
> > shut down access to the legit accounts from that file if their
> > passwords are ever actually used?
>
> > It's still never a good thing for password files to be stolen, but
> > since no method of preventing the theft will be perfect, we should
> > at the very least make the theft harder to exploit.
> Ari Juels and Ron Rivest have a paper - "Honeywords: Making
> Password-Cracking Detectable" -
> http://people.csail.mit.edu/rivest/pubs/JR13.pdf - proposing a more
> sophisticated variant of this proposal. (They deal with the problem that
> the attacker may be able to determine which users are legitimate users -
> or, in a more restricted fashion, be able to generate a partial list of
> legitimate users on the system - and by limiting himself to just those,
> avoid hitting any of the fake entries.)
>
It's a very thorough paper. IMHO, though, if somebody were to get their
hands on a database like this, they will know immediately what's going on,
and won't go poking around until they steal the "honeword" database first.
With having a moderate amount of properly disguised fake accounts, it's
harder to see a trap coming. Though, once it's known that company X is
using fake accounts, the strategies against that company's stolen passwords
would change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140523/b349ef9c/attachment.html>
More information about the cryptography
mailing list