[Cryptography] The proper way to hash password files

Tom Mitchell mitch at niftyegg.com
Thu May 22 17:12:42 EDT 2014


On Thu, May 22, 2014 at 1:47 PM, Jerry Leichter <leichter at lrw.com> wrote:
> On May 22, 2014, at 3:06 PM, Hanno Böck <hanno at hboeck.de> wrote:
>>> It occurs to me that most of the time, machines do password files
>>> wrong.
.....
> I'll repeat my (only partially facetious) suggestion:  Require that any company that maintains a password database have entries for pseudo-accounts with fixed, known names like "CEO Bank Account Password" and "CSO Retirement Account Password"

One issue is there should not be ONE data base file.
There should be many and some hash at a local layer be used
to decide which machine and which machine has the interesting
bits.   We are talking about an application data base not a user
ID file for the most part.

Also in any data base that might be attacked there needs to be
numerous tattletales user+magicword that can be used to discover,
track and prosecute those that might engage in such commerce.
This can be done by one or more TLA agency by creating accounts
and is not invasive of the customer privacy.

This tattletale strategy might help discover data breaches in the future
that are not known.   i.e. Law enforcement and National Security could
do this and not invade our lives.... yet at the same time enable law
enforcement and security.

Another under used resource set is virtual machines and sand boxes.
Be-it my data on a cloud I buy time on from Amazon or the
cloud used by Amazon for their business better the use of sand
boxes and virtual machines is clearly a topic of future research.


-- 
  T o m    M i t c h e l l


More information about the cryptography mailing list