[Cryptography] The proper way to hash password files
Christian Huitema
huitema at huitema.net
Sat May 24 00:32:50 EDT 2014
> Why not make 9/10 (or, heck, 99/100) of the entries in a password
> file correspond to fake accounts that simply ring an alarm and
> shut down access to the legit accounts from that file if their
> passwords are ever actually used?
Having tripwires is fine, and I hope many systems do that. But the main
problem with these massive password breaches is password reuse. If the
attackers learn that <Joe.Schmuck at example.com> is using "P at ssw0rd!" on
E-Bay, chances are that he is using the same password on Amazon or Facebook.
They can start exploiting these other sites while leaving E-Bay alone. The
tripwires at E-Bay won't protect against that.
-- Christian Huitema
More information about the cryptography
mailing list