[Cryptography] The proper way to hash password files
Bear
bear at sonic.net
Fri May 23 18:50:40 EDT 2014
On Fri, 2014-05-23 at 18:00 -0400, Jerry Leichter wrote:
> On May 23, 2014, at 4:56 PM, Bear <bear at sonic.net> wrote:
> Ari Juels and Ron Rivest have a paper - "Honeywords: Making Password-Cracking Detectable" - http://people.csail.mit.edu/rivest/pubs/JR13.pdf - proposing a more sophisticated variant of this proposal. (They deal with the problem that the attacker may be able to determine which users are legitimate users - or, in a more restricted fashion, be able to generate a partial list of legitimate users on the system - and by limiting himself to just those, avoid hitting any of the fake entries.)
> -- Jerry
>
I note that this paper has been published for years, contains
a good and simple idea, does not materially affect any other
aspect of system operation, and that I have never seen or
heard of an actual implementation being deployed in the wild.
One might almost conclude that people don't want it known when
their password files are stolen.... Oh, wait .....
Bear
More information about the cryptography
mailing list