> The question we are trying to answer here is how could we all have ultra > strong passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and > every website, email, social media, etc. service that we use but without > having to trust any third parties to store them for us protected by single > password (perhaps with 2 factor authentication, hardware key, etc., > admittedly), or to use some kind of local password manager that needs to be > installed on every device you want to use it on with a local encrypted > password file. Lastly, it should be extremely resistant to rainbow tables > if and when one of your passwords is leaked.
Peter Gutmann's Security Engineering (https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) has a good treatment of Passwords in general. See Chapter 7 on page 563. John Stevens of OWASP performed threat modelling of passwords in storage on the server. See Secure Password Storage (https://docs.google.com/document/d/1R6c9NW6wtoEoT3CS4UVmthw1a6Ex6TGSBaEqDay5U7g). _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography