What Tim said. I think warning was writing about the public shame from having a massive pw dump not having some neckbeard expose them over using crypt on some random industry mailing list (shudders).
Here is a long article on secure password storage. It is extremely exciting: http://www.cigital.com/justice-league-blog/2012/06/11/securing-password-digests-or-how-to-protect-lonely-unemployed-radio-listeners/ -Travis On Tue, Feb 12, 2013 at 5:14 PM, Tim <[email protected]>wrote: > > That's assuming that they didn't do the risk analysis and decide that > > the effort required to fix the problem (which will probably require, > > among other things, having every single user change their password) > > is worth the effort. Given that so many places have gotten hacked and > > pwned that the user community response is usually "Meh. Another one", > > they may rightfully have concluded that risking public shaming is > > in fact a good business decision... > > > Here's a bit of pseudocode for you Valdis: > > for each user: > let user.new_hash = scrypt(user.old_crypt_hash) > > # now update authentication routine to use user.new_hash with new > # nested hashing algorithm > > > So really, there's actually not a good reason to keep a crappy hash > database around. Just add a layer of good salted hashing on top. > > With that said, the unusual quirk of crypt being limited to 7 > characters is an additional challenge, but you can start with the > above steps (which immediately improves security), and then slowly > transition to using scrypt alone or some variant that supports longer > passwords. > > tim > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Twitter <https://twitter.com/tbiehn> | LinkedIn<http://www.linkedin.com/in/travisbiehn>| GitHub <http://github.com/tbiehn> | TravisBiehn.com<http://www.travisbiehn.com>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
