[blag-whereto] password security policy

beloumi beloumi at riseup.net
Fri Jul 24 09:25:26 UTC 2015

Am 23.07.2015 um 22:49 schrieb GMAIL:
> And if it was sent encrypted how would you know what it was, how would
> you decrypt it to get your password??
> Maybe you could help to resolve the issue.....have you got a solution.
> Regards
> weyasey 
Thanx for quick reply.

Normally it is common practice not to store passwords directly but
hashing them with a password hashing scheme and compare/store the hashes
Because password hashing schemes are costly it should not be easy to
test all common passwords (dictionary attack).
And if anybody has access to the password database she/he can't figure
out the passwords which are probably used for other accounts too.
I would not be surprised, if the comparison in the login process is not
time constant, so you can get the passwords more easily  than by a
dictionary attack.

The solution would be a password hashing scheme. I would recommend
Scrypt or - if there is a memory problem - Bcrypt. Both are available in
some programming languages.
Unfortunately my programming skillsmainly related to Java and I don't
expect, this is written in Java. I have some knowledge in Crypto and
limited skills in C/C++. If desired I would help solving this problem as
far as I am able to.

More information about the blag-whereto mailing list