Re: Hashed PW's more secure than encrypted PW's?

From: Bernd Eckenfels (ecki-news2002-06@lina.inka.de)
Date: 06/14/02


From: Bernd Eckenfels <ecki-news2002-06@lina.inka.de>
Date: 14 Jun 2002 19:35:04 GMT

sakky <sakhalinrf@hotmail.com> wrote:
> I have read many times how the preferred way in most Unix flavors to keep
> track of passwords is to keep hashes of those passwords. I have read lots
> of things that have stated that this is more secure than merely encrypting
> those passwords. Clearly this is more secure than just keeping the
> clear-text passwords lying around.

Actually the traditional unix crypt was also a hash. The problem with hash
vs. crypt is only, that the hash is longer and therefore harder to brute
force and to dictionary attack.

If you would realy encrypt a password with a secret, then you have to
protect that secret, which is much harder, cause you have to have it
accessable every time somebody logs in.

By hashing the original password is "destroyed" anbd not remebered, so an
intruder and even an admin who can read the hash cannot recover it. This is
to also protect users which are foolish enough to reuse their password.

Of course it does not help against sniffing and trojans or logged
missattempts.

Greetings
Bernd



Relevant Pages

  • Re: SQL Storing Passwords?
    ... Subject: SQL Storing Passwords? ... First of all, storing salts next to a hash is not bad design, it ... we examine the importance of Apache-SSL and who needs an SSL ... use a thawte Digital Certificate on your Apache web server. ...
    (Security-Basics)
  • Re: Password hashes
    ... NTLM hash as the key. ... There is however no locally stored NTLMV2 hash of passwords. ... Auditing and reviewing the security logs ... secure their network and data and the documentation to do such at TechNet ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows XP / 2K3 Default Users
    ... Cracking the 'passwords' has never been ... The gist of the 'technique' is the "Modifying Windows NT Logon Credential" ... existing windows applications that use the hash currently set to ... and then re-use those hashes to try to get authenticated access to other ...
    (Pen-Test)
  • Re: Pidgin IM Client Password Disclosure Vulnerability.
    ... because we need to be able to generate the hash a given ... Some protocols can ask for different types of hashes at ... passwords stored in it ... lost, you have much bigger problems than lost IM passwords. ...
    (Bugtraq)
  • Re: Decrypt fails
    ... I am creating a MD5 hash data and then using it to derive a key ... (CALG_RC2 encryption algorithm). ... My requirement concerns more with not storing passwords in plain ... > that he provided and compare it to the hash in the database. ...
    (microsoft.public.platformsdk.security)