[Cryptography] The proper way to hash password files
Theodore Ts'o
tytso at mit.edu
Sat May 24 10:18:07 EDT 2014
On Fri, May 23, 2014 at 09:32:50PM -0700, Christian Huitema wrote:
> > Why not make 9/10 (or, heck, 99/100) of the entries in a password
> > file correspond to fake accounts that simply ring an alarm and
> > shut down access to the legit accounts from that file if their
> > passwords are ever actually used?
>
> Having tripwires is fine, and I hope many systems do that. But the main
> problem with these massive password breaches is password reuse. If the
> attackers learn that <Joe.Schmuck at example.com> is using "P at ssw0rd!" on
> E-Bay, chances are that he is using the same password on Amazon or Facebook.
> They can start exploiting these other sites while leaving E-Bay alone. The
> tripwires at E-Bay won't protect against that.
And until we can get something like the Fido initiative to create
something better than passwords, we're toast. Because people aren't
going to memorize hundreds of passwords, and password managers such as
LastPass aren't used by enough people, and some bank web sites
actively try to make things password managers impossible to use by
disabling cut and paste and other ways that a password manager might
try to use to fill in the password field. Thus encouraging users to
use the same password for E-bay and their checking/brokerage
account....
- Ted
More information about the cryptography
mailing list