https://bugzilla.wikimedia.org/show_bug.cgi?id=28419
--- Comment #8 from Brion Vibber <[email protected]> 2011-05-11 03:01:12 UTC --- A related idea about strengthening password hashes: http://cslyon.net/2011/05/10/sha-512-w-per-user-salts-is-not-enough/ In addition to using per-user salt (as we already do) and a slower, iterated hash function (as proposed here), Lyon recommends hashing in a system shared secret that's stored outside the database. This doesn't add much in case of a full compromise, but protects against dictionary attacks on the hashes if they've been obtained through SQL injection alone. Of course the downside is that if you lose the config file with the key all your passwords need to be reset -- so if enabled for default installs it could increase the risk of inconvenience and data loss for admins used to being able to dump and replace config files with impunity. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
