[Cryptography] The proper way to hash password files

[Christian Huitema]

> Why not make 9/10 (or, heck, 99/100) of the entries in a password 
> file correspond to fake accounts that simply ring an alarm and 
> shut down access to the legit accounts from that file if their 
> passwords are ever actually used?

Having tripwires is fine, and I hope many systems do that. But the main
problem with these massive password breaches is password reuse. If the
attackers learn that <Joe.Schmuck at example.com> is using "P at ssw0rd!" on
E-Bay, chances are that he is using the same password on Amazon or Facebook.
They can start exploiting these other sites while leaving E-Bay alone. The
tripwires at E-Bay won't protect against that.

-- Christian Huitema