On Friday 08 June 2012 11:11 Klaas Freitag wrote: > On 08.06.2012 10:40, Thomas Tanghus wrote: > > On Friday 08 June 2012 10:15 Andreas Schneider wrote: > >> You know there is this rocket sience technology from the 70ies. It is > >> called salt in cryptography. I suggested several times to use salting in > >> owncloud but we still don't have it. > >> > >> First linkedin: > >> http://www.h-online.com/security/news/item/LinkedIn-confirms-that-user- > >> passwords-were-compromised-1612554.html > >> > >> then last.fm: > >> http://www.lastfm.de/passwordsecurity > >> > >> > >> next: your owncloud installation ... > > > > Now I don't know much about cryptography, but I read the code, followed > > the > > > password, and to me it looks like you're spreading FUD: > This is not spreading FUD, we have to be careful here. Crypto that only > uses randoms from the same machine is not secure per definition AFAIK.
I respond like that to undocumented, melodramatic mails in the morning ;-) > The problem is: IF somebody gets the content of the database for > whatever reason, it should be as difficult as possible to reconstruct > the passwords used as users tend to use passwords multiple. > > I think we always should strive for the best possible solution in this > areas. Obviously we should. And while we are working out the perfect solution, we are using a library that has been thoroughly tested and is generally recommended: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php -- Med venlig hilsen / Best Regards Thomas Tanghus _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
