On 17.12.09 00:56, Peter Saint-Andre wrote: > And even if you do have hashed passwords, if someone breaks into your > machine then it's not that much work to de-hash them all. It just looks > scarier if they're in cleartext to start with. > That more or less depends on what you store in your authentication database. Considering SCRAM for example which has been designed to address the issue of clear text password ([1] Point 3) you'd ideally store the SaltedPassword, the salt and the iteration count for your users in the authentication database. Since SaltedPassword is generated like using Hi(hmac_sha1, password, salt, iteration_count) even if you had the database with all the SaltedPasswords you'd need brute force to find out the clear text passwords which can take quite some time considering the variable iteration count.
Cheers, Tobias [1] http://tools.ietf.org/html/draft-ietf-sasl-scram-10#page-31
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________