Good Read: Password Hashing.

by Tim O'Brien

From Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes:

"Most of the industry’s worst security problems (like the famously bad LANMAN hash) happened because smart developers approached security code the same way they did the rest of their code. The difference between security code and application code is, when application code fails, you find out right away. When security code fails, you find out 4 years from now, when a DVD with all your customer’s credit card and CVV2 information starts circulating in Estonia."

This post was written in response to an alarmist post that had been highly reddit'd (aren't all highly reddit'd posts alarmist?). Besides being an effective smackdown, this post is also a good survey of approaches to password hashing. There is a good pointer to SRP.


Carla Schroder
2007-12-02 11:57:51
Like that CVV2 number adds any meaningful security in the first place. The first time you use it anywhere, it's out there. The one thing that makes credit cards reasonably secure is credit card owners are not held liable for fraud. So the cards themselves are not all that secure; we're just protected from the consequences when they fall into the wrong hands.

Cryptography geeks can argue about their favorite hashes, algorithms, and super-sekkrit decoder rings until the heat death of the universe, but the fact of the matter is all cryptography has a shelf life. Sooner or later the latest greatest wotsit will be broken.

Most successful thefts of financial data are not the result of uber-elite cracking, anyway- they're inside jobs or plain old-fashioned theft and stupidity, like the temps at Ford Motor Credit Co. that stole and sold customer financial data, unencrypted backup media getting stolen from the vehicles of "contractors" (they always blame contractors), lost laptops containing unencrypted databases of millions of sensitive financials, and so forth.