[Cryptography] The proper way to hash password files
Jerry Leichter
leichter at lrw.com
Fri May 23 18:00:12 EDT 2014
On May 23, 2014, at 4:56 PM, Bear <bear at sonic.net> wrote:
> Why not make 9/10 (or, heck, 99/100) of the entries in a password
> file correspond to fake accounts that simply ring an alarm and
> shut down access to the legit accounts from that file if their
> passwords are ever actually used?
>
> It's still never a good thing for password files to be stolen, but
> since no method of preventing the theft will be perfect, we should
> at the very least make the theft harder to exploit.
Ari Juels and Ron Rivest have a paper - "Honeywords: Making Password-Cracking Detectable" - http://people.csail.mit.edu/rivest/pubs/JR13.pdf - proposing a more sophisticated variant of this proposal. (They deal with the problem that the attacker may be able to determine which users are legitimate users - or, in a more restricted fashion, be able to generate a partial list of legitimate users on the system - and by limiting himself to just those, avoid hitting any of the fake entries.)
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140523/297e3ead/attachment.bin>
More information about the cryptography
mailing list