On Dec 16, 2009, at 4:17 PM, Tobias Markmann wrote: > On 17.12.09 00:56, Peter Saint-Andre wrote: >> And even if you do have hashed passwords, if someone breaks into your >> machine then it's not that much work to de-hash them all. It just looks >> scarier if they're in cleartext to start with. >> > That more or less depends on what you store in your authentication > database. Considering SCRAM for example which has been designed to > address the issue of clear text password ([1] Point 3) you'd ideally > store the SaltedPassword, the salt and the iteration count for your > users in the authentication database. > Since SaltedPassword is generated like using Hi(hmac_sha1, password, > salt, iteration_count) even if you had the database with all the > SaltedPasswords you'd need brute force to find out the clear text > passwords which can take quite some time considering the variable > iteration count.
Computing power on the black market is quite cheap. -- Kurt _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
