![]() ![]() But still, the future of the algorithm does look promising. ![]() Scrypt will be better than bcrypt in time, but it hasn't seen adoption as a standard by Linux/Unix or by webservers, and hasn't had in-depth reviews of its algorithm posted yet. Best practicesīcrypt and scrypt are the current best practices. No password is truly good enough for our purposes, so we must protect them as though they were in Fort Knox. Either its not memorable, too predictable, too short, too many unicode characters (hard to type on a Windows/Mobile device), too long, etc. So far as I've been able to tell, making the world's best password is a Catch-22. Randomess, as truly random as possible, is always the safest but least memorable solution. In the comments I talked with who pointed out that enforcing a password policy of X length with X many letters, numbers, symbols, etc, can actually reduce entropy by making the password scheme more predictable. A good Google search will also turn up a lot of results. There's a longer discussion of password entropy on the Crypto StackExchange site. But the good news is: longer passwords, and passwords with unicode characters, really increase the entropy of a password and make it harder to crack. Using the full range of ascii characters (roughly 96 typeable characters) yields an entropy of 6.6 per character, which at 8 characters for a password is still too low (52.679 bits of entropy) for future security. One problem is, to make our passwords memorable we insert patterns-which reduces entropy. But allowing upper and lower case, with symbols, is roughly 96 characters. Alpha-numeric passwords are better, with 36 characters. When a password is only lowercase roman letters, that's only 26 characters. ![]() In short, entropy is how much variation is within the password. (Not that I fully subscribe to Randall's viewpoint.) (Emphasis mine.) What makes a good password anyway?Įntropy. This might be common knowledge to password and crypto pros, but for the average InfoSec or Web Security expert, I highly doubt it. If you don’t know how your password is stored, then all you really can depend upon is complexity. I’ve come to appreciate why password storage is ever so much more important than password complexity. Interestingly, in living out this nightmare, I learned A LOT I didn’t know about password cracking, storage, and complexity. Jeremiah Grossman, CTO of Whitehat Security, stated on White Hat Security blog after a recent password recovery that required brute-force breaking of his password protection: If your database is compromised you will need enough time to at least lock the system down, if not change every password in the database. And time/cost are the best deterrents in your arsenal.Īnother reason that you want a good, robust hash on a user accounts is to give you enough time to change all the passwords in the system. So the goal of password hashing is to deter a hacker or cracker by costing them too much time or money to calculate the plain-text passwords. The objective behind hashing passwords is simple: preventing malicious access to user accounts by compromising the database. (See the "What makes a good password?" section for some debate.) This will improve the entropy of the password, in turn making it harder to crack. Implement a reasonable 8-10 character minimum length, plus require at least 1 upper case letter, 1 lower case letter, a number, and a symbol.Reset everyone's passwords when the database is compromised.Use PBKDF2 if you cannot use either bcrypt or scrypt, with SHA2 hashes.Use scrypt when you can bcrypt if you cannot.(This applies to any input that may have a rogue \0 in it, which can seriously weaken security.) Don't mix bcrypt and with the raw output of hash(), either use hex output or base64_encode it.Never hash passwords with SHA1 or MD5 or even SHA256! Modern crackers can exceed 60 and 180 billion hashes/second (respectively).Never, ever log passwords in any manner. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |