On Wednesday, August 19, 2015, Mark Rotteveel <m...@lawinegevaar.nl> wrote:
> > > > > In the final analysis, hardening any computing systems requires that the > > most vulnerable links be addressed first. In Firebird, that is the use > > of human chosen passwords. > > Using a client-side password vault is an interesting idea, but it does > not really have an impact on server-side security, except that it allows > you to use more random keys, a similar effect can be achieved by using > significantly longer passwords and a better hashing algorithm (one that > generates more bits and generates a cryptographically stronger hash, for > example SHA-384 or SHA-512), maybe combined with PBKDF2 (using it as a > key-derivation algorithm) which allows you to generate even more bits. > > Mark, you're basically wrong. Just longer human chosen passwords by > themselves don't give much additional security. The passwords "mary", > "mary had a", and "mary had a little lamb" are not much that much different > if the user had used similar patterns in the past. > A "better" hashing algorithm has no signficant effect. The difference in > security between a 20 byte hash and a 64 byte hash is 1 / 2^128, a number > so small that there isn't enough computer memory on earth to hold it in > decimal format. Please think about that. > A client-side password vault should be just that, purely client-side and > it should not reflect in any way in the protocol or handshake. I think > it provides a false sense of security though, as you protect a big > secret with a smaller secret, and as such you don't add any real > protection over using the smaller secret 'directly' (through some kind > of key derivation algorithm as above). > You can protect it to the degree that brute force becomes computationally > infeasible, but only because client cycles are cheap and don't degrade the > server. > Before you just repeat yourself, read the following good article: > https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/ > It gives very good advice about how to think about security. There are > related articles listed that are also well worth reading. > > Mark > -- > Mark Rotteveel > > > ------------------------------------------------------------------------------ > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel > -- Jim Starkey
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel