-- Never store encrypted passwords, only hashed+salted passwords.
-- Loop through the hashing+salt process multiple times before storing
the value.
-- Do not let the user create a password that is in a rainbow table
-- Store hashed+salted passwords in their own table independent of the
user information.
-- For every new hashed+salted password that is created in the table,
store a random # of fake hashed+salted passwords before and after the
real hashed+salted passwords. (See "Security by Obesity")
-- If the user fails to enter information that matches a USERID and a
Hashed+Salted password, wait X seconds before informing them. End the
program if they cannot enter the correct information after X attempts.
On 04/23/2014 10:19 AM, [email protected] wrote:
Right....so it's like a Checksum of sorts that stored and the user's
entered password is compared with the checksum that's stored. Ok,
hash. Checksum, hash, ...whatever. :-)
Thanks,
--Mike
[excessive quoting removed by server]
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
