Re: FYI LinkedIn passwords hacked

Fri, 08 Jun 2012 13:49:57 -0700 

W dniu 2012-06-08 22:02, Clark Morris pisze:

On 7 Jun 2012 14:28:43 -0700, in bit.listserv.ibm-main you wrote:

[...]

Yet some smug mainframe workers could learn something from this. Such as, 
storing hashed but unsalted passwords is not such a good idea (and, yes, I have 
seen that done on a mainframe).


Would you mind explaining further what unsalted passwords are?


BIG ASSUMPTION: Passwords are kept in the database as hashes.
Keeping passwords in that way is popular, but it is ONE of the methods.
So, a user provides new password, the password is hashed (i.e. using SHA function) and the hash is stored. The result: you can compare hash from databse with hash of password-provided-during-logon. You cannot retrieve the password from database, because ther is no reverse function for SHA. BINGO. "Good people" did create hashes of every word and even combination of words and numbers. It's called rainbow tables. So, when you have user database stolen, you don't need to guess the password using brute force method. You can use rainbow tables. Time to crack the password is reduced significantly. What to do? You can add some random (!) bytes (this is the salt) to the password and then compute the hash. And of course store the salt in opentext form. It causes the hacker cannot use rainbow tables (passwords are SALTED), so time to crack the password is elongated significantly.
BTW: RACF does NOT use the method above. Passwords are encrypted using DES algorithm, more detail: userid (which is not secret) is encrypted and the key is the password (after some "normalization"). Effect: there is not known reverse function, so brute force is the only method for password cracking. Unfortunately it is worse than using password+random bytes, because allowed character set for passwords is quite narrow.
Regarding linkedin: it is still unrelated to mainframes. It is related to any user+password system. And OBVIOUSLY you shouldn't use the same password for top-secret system and some free of charge (and FREE OF RESPONSIBILITY) Internet community portal. And this should be obvious for ANY folk working in IT, and should be know to anynone using Internet. I heard that many people use Internet and some of them are not mainframers, more - some of them are not IT folks. 
That's why I sustain it's off topic.

--
Radoslaw Skorupka
Lodz, Poland
P.S. This is not the only off-topic post here, so I'm not going to fight for "on-topic transparency". From the other hand didn't change my mind about it. 


--
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. 
BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax 
+48 (22) 829 00 33, www.brebank.pl, e-mail: [email protected]
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2012 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.410.984 zotych. 

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to