[Cryptography] NIST SP 800-63-3

[Jerry Leichter]

This discussion has wandered off into HSM's and their pluses and minuses which is all beside the point. 

It's a sad fact that user databases, encrypted/salted passwords and all, are regularly stolen. Typically these are actually relational databases directly accesses by web software that provides direct customer services. This leads to large attack surfaces and leaves room for tons of vulnerabilities. A secondary secret password, properly implemented, can be stored in a small file somewhere or even embedded in code. It should be completely separate from anything user facing - ideally on another machine. It has a simple interface: encrypt or decrypt this value. An attacker would have to use very different techniques to steal this - but without it offline attacks on the stolen user file are impossible.  That second machine could be an HSM though it would be difficult to justify getting one just for this purpose. 

Every password hashing mechanism we devised since Unix introduced the idea some 40 years ago until very recently has fallen to better and better attacks. We believe we're ok now ... but then we believed that last year and 5 and 10 years ago, too. Adding a local secret to the mix is cheap and easy insurance. Why not use it?

                                          -- Jerry