I think there's two separate issues here: a) How, as a user, do you generate "good" passwords? What's considered "good" is continually changing - Microsoft (and others) were touting "pass phrases" not that long ago, and even then it was pretty obvious that attacks would migrate using whole words and mangled words as part of an attack. Even with a tool to generate passwords, do you go back to old site to update your password each time a class of passwords becomes "easy game"?
b) How, as an authentication system, do you safely store the credentials of your user base? What rules do you enforce on the passwords that can be supplied/generated, and once generated, how best to secure these "at rest" and "in transit"? I think this is the main question that Greg is asking Greg - sites like Slashdot, routinely cover advances in crypto and attack vectors in a format that non-experts can easily digest. E.g. GPU based attacking has been the norm for some time now. Cheers Ken From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, 24 March 2014 11:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh <g...@mira.net<mailto:g...@mira.net>> wrote: Folks, in Bruce Schneier's latest newsletter<https://www.schneier.com/crypto-gram-1403.html> there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0<http://dll.paretologic.com/detail.php/msv1_0>.dll only stores half a user's hash in the registry). Greg K
