[blag-whereto] password security policy
weyasey at gmail.com
Fri Jul 24 21:56:35 UTC 2015
Thanks for your insight to this issue/problem we would welcome your help
to resolve this and any other issues/problems that exist within our
current set up.
As to your programming skills I can assure you they far exceed mine
which at present stands at zero, so you would be a welcomed and valued
addition to our group.
On Fri, 2015-07-24 at 11:25 +0200, beloumi wrote:
> Am 23.07.2015 um 22:49 schrieb GMAIL:
> > And if it was sent encrypted how would you know what it was, how would
> > you decrypt it to get your password??
> > Maybe you could help to resolve the issue.....have you got a solution.
> > Regards
> > weyasey
> Thanx for quick reply.
> Normally it is common practice not to store passwords directly but
> hashing them with a password hashing scheme and compare/store the hashes
> Because password hashing schemes are costly it should not be easy to
> test all common passwords (dictionary attack).
> And if anybody has access to the password database she/he can't figure
> out the passwords which are probably used for other accounts too.
> I would not be surprised, if the comparison in the login process is not
> time constant, so you can get the passwords more easily than by a
> dictionary attack.
> The solution would be a password hashing scheme. I would recommend
> Scrypt or - if there is a memory problem - Bcrypt. Both are available in
> some programming languages.
> Unfortunately my programming skillsmainly related to Java and I don't
> expect, this is written in Java. I have some knowledge in Crypto and
> limited skills in C/C++. If desired I would help solving this problem as
> far as I am able to.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: This is a digitally signed message part
More information about the blag-whereto