Re: Hashed PW's more secure than encrypted PW's?

From: Bernd Eckenfels (ecki-news2002-06@lina.inka.de)
Date: 06/14/02


From: Bernd Eckenfels <ecki-news2002-06@lina.inka.de>
Date: 14 Jun 2002 19:35:04 GMT

sakky <sakhalinrf@hotmail.com> wrote:
> I have read many times how the preferred way in most Unix flavors to keep
> track of passwords is to keep hashes of those passwords. I have read lots
> of things that have stated that this is more secure than merely encrypting
> those passwords. Clearly this is more secure than just keeping the
> clear-text passwords lying around.

Actually the traditional unix crypt was also a hash. The problem with hash
vs. crypt is only, that the hash is longer and therefore harder to brute
force and to dictionary attack.

If you would realy encrypt a password with a secret, then you have to
protect that secret, which is much harder, cause you have to have it
accessable every time somebody logs in.

By hashing the original password is "destroyed" anbd not remebered, so an
intruder and even an admin who can read the hash cannot recover it. This is
to also protect users which are foolish enough to reuse their password.

Of course it does not help against sniffing and trojans or logged
missattempts.

Greetings
Bernd