[Cryptography] Passwords

Jerry Leichter leichter at lrw.com
Tue Oct 1 17:04:52 EDT 2013


On Oct 1, 2013, at 4:13 PM, Peter Fairbrother wrote:
> And as to passwords being near end-of-life? Rubbish. Keep the password database secure, give the user a username and only three password attempts, and all your GPUs and ASIC farms are worth nothing.
Yup.

I've (half-)jokingly suggested that any business maintaining a database of usernames and passwords must, by law, include within that database, under a set of fixed fake user names using exactly the same format and algorithms as is used for all other user accounts, such things as (a) the business's bank account data, including account numbers and full authentication information; (b) similar information about the top executives in the company and everyone on the management chain who has any responsibility for the database.  Once that information is in the database, the business can protect it or not, as they wish.  Let them sink or swim along with their users.

                                                        -- Jerry



More information about the cryptography mailing list