[Cryptography] The proper way to hash password files

Phillip Hallam-Baker phill at hallambaker.com
Thu May 22 13:09:57 EDT 2014


Lots of sackcloth and ashes as EBay loses a password file.

It occurs to me that most of the time, machines do password files
wrong. Rather than using a salted hash, a better approach would be to
use a MAC with a randomly chosen key that is never disclosed.

Now this seems obvious but I can't recall ever seeing code set up to
do the job this way...


More information about the cryptography mailing list