tag:blogger.com,1999:blog-2807403883562053852.post3993325696008839961..comments2024-03-27T08:40:31.785-06:00Comments on Clayton Cramer.: Who Keeps Actual Passwords in Their Security Control?Clayton Cramerhttp://www.blogger.com/profile/03258083387204776812noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-2807403883562053852.post-31579534068339658132019-06-07T11:43:53.264-06:002019-06-07T11:43:53.264-06:00"not as good as encryption; there are brute f..."not as good as encryption; there are brute force methods, requiring several NSA's of computing power to try all combinations to see if they produce the target hash"<br /><br />Especially a few years ago, I wouldn't expect most websites to use hashes that were remotely that secure.<br /><br />Even today I wouldn't trust <i>most of them</i> to be using bcrypt and strong salts, frankly.<br /><br />Though with the hardware the NSA has I doubt it'd take several NSAs, just a lot of their attention. I would not be the least bit surprised to find the NSA had a few conex containers lying around stuffed with FPGAs or GPUs dedicated to *nothing* but bcrypt hashing. And that's the <i>non-paranoid</i> assessment.<br /><br />(I count myself lucky if a website's not just using md5, which has long had rainbow tables available.)Sigivaldhttps://www.blogger.com/profile/16152366541957466049noreply@blogger.comtag:blogger.com,1999:blog-2807403883562053852.post-44322340813719269022019-06-05T15:20:44.417-06:002019-06-05T15:20:44.417-06:00If you go back decades ago that is true about UNIX...If you go back decades ago that is true about UNIX has, but after that the major commercial Unixes like HP-UX, Solaris, etc along with Linux, BSD, and MacOS use encrypted shadow passwords. wbhttps://www.blogger.com/profile/07962917032618413264noreply@blogger.comtag:blogger.com,1999:blog-2807403883562053852.post-34232801961427541492019-06-05T15:07:50.688-06:002019-06-05T15:07:50.688-06:00Unix systems only store a hash of the password (no...<i> Unix systems only store a hash of the password (not as good as encryption; there are brute force methods, requiring several NSA's of computing power to try all combinations to see if they produce the target hash). </i><br /><br />Almost all "professional" password storage systems, including Unix and Windows (and Active Directory) store a cryptographic hash of the password. Technically a "salt" plus a password. <br /><br />It's actually *more* secure than an "encrypted" password because there is no key that can be stolen. <br /><br />If you had a password database that stored "encrypted" passwords you would either need to have a separate database with the keys for those passwords, or a single key to all of those passwords. Either way the *same* attack that collects the password database would be able to get you the key or key database as well.Billy Oblivionhttps://www.blogger.com/profile/16282343088921248885noreply@blogger.com