[Cryptography] The proper way to hash password files

Jerry Leichter leichter at lrw.com
Fri May 23 18:00:12 EDT 2014


On May 23, 2014, at 4:56 PM, Bear <bear at sonic.net> wrote:
> Why not make 9/10 (or, heck, 99/100) of the entries in a password 
> file correspond to fake accounts that simply ring an alarm and 
> shut down access to the legit accounts from that file if their 
> passwords are ever actually used?
> 
> It's still never a good thing for password files to be stolen, but
> since no method of preventing the theft will be perfect, we should 
> at the very least make the theft harder to exploit.
Ari Juels and Ron Rivest have a paper - "Honeywords: Making Password-Cracking Detectable" - http://people.csail.mit.edu/rivest/pubs/JR13.pdf - proposing a more sophisticated variant of this proposal.  (They deal with the problem that the attacker may be able to determine which users are legitimate users - or, in a more restricted fashion, be able to generate a partial list of legitimate users on the system - and by limiting himself to just those, avoid hitting any of the fake entries.)
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140523/297e3ead/attachment.bin>


More information about the cryptography mailing list